I was wondering if you could sniff all the connections made by an foreign host, beacsue last the on which im hosting a website was ddossed for an unknown reason (to me), and the hoster does has the ip from the attacking host, but i want to trace the ircd on which the bot is, and where i suspect are allot more drones, and more important the owner of that particular bot/botnet.

If you are being DoSed you wont be able to discover where the botnetwork is located right off the bat, you will only be able to see where each of the individual attacks are coming from. Unless you can contact the real owner of one of the compromised box and get him/her to comply with you, it will be difficult to find where the bot network is. With that said I can think of two solutions:

1) Install a sniffer on the web server.
* Chances are that your host will not let you install a sniffer on the server yourself. You can ask the administer to monitor the traffic because you are being attacked (best bet).

2) Sniff through a cisco router using a gre tunnel
* This is probably the hardest and most complex solution to your problem. It is very doubtful that your provider will even consider doing this.

If it becomes an ongoing problem you should report it to the proper authorities.

Well the System administrator of my host does have the IPS of the attacking hosts, so that's not my problem, and trying to get hold of the owner i pretty difficult without notifing his/her ISP and since i do not think that the real owner has any knowlegde of the ddos, i don't wanna get him/her in trouble.


But if i uunderstand correcly i can't sniff outgoing traffic, i don't need to know what gets transmitted only where to, and which ports

Sniffing the traffic when you are under a ddos will likly make the attack way more effective since sniffers tend to take up alot of cpu when alot of traffic passes through it.
What i suggest is illigal, so don't do it, kuch.
Botnets usually are created with 1 or two exploits, mostly the drones are not well secured so you can take over the drone, once you are in, its not hard to find the rest.

well this is the best advice , you are right
being drones they must be not secured ..
but it's not legal , I don't suggest you to do it ..
but if you really think to do it , it's better ,i think ,from the legal point of view that after you get the ip of the attacker , you get even the e-mail of the real owner of the drone and send him an e-mail telling that you are under dos from him ..
this will help from legal point of view ..

Sorry to not offer helpful advice, but i'd seriously love to hear/see any reconisance information (port scans fingerprints assumptions etc) that you get from your logs...

i'd be happy to attack a heap of logs if need be

well if i take over a drone and place and txt file on that comp which says that that particulair ssytem was hacked and used for ddosing other host, is it still illegal than ?