From owner-freebsd-questions@FreeBSD.ORG Wed Oct 8 14:49:06 2014 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A9958A83 for ; Wed, 8 Oct 2014 14:49:06 +0000 (UTC) Received: from fly.hiwaay.net (fly.hiwaay.net [216.180.54.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 718A6A2C for ; Wed, 8 Oct 2014 14:49:06 +0000 (UTC) Received: from kabini1.local (rbn1-216-180-19-80.adsl.hiwaay.net [216.180.19.80]) (authenticated bits=0) by fly.hiwaay.net (8.13.8/8.13.8/fly) with ESMTP id s98En3ku008564 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Wed, 8 Oct 2014 09:49:04 -0500 Message-ID: <54355056.2080509@hiwaay.net> Date: Wed, 08 Oct 2014 09:55:18 -0500 From: "William A. Mahaffey III" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 Subject: Re: oddball syslog entries .... References: <5434A8F7.1090507@hiwaay.net> <5434AC3A.40707@hiwaay.net> <54353D4C.7080403@hiwaay.net> In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2014 14:49:06 -0000 On 10/08/14 09:15, Kurt Buff wrote: > On Wed, Oct 8, 2014 at 6:34 AM, William A. Mahaffey III wrote: >> On 10/07/14 23:11, Kurt Buff wrote: >>> edited the message for clarity... >>> >>> On Tue, Oct 7, 2014 at 8:15 PM, William A. Mahaffey III >>> wrote: >>>> On 10/07/14 22:01, Kurt Buff wrote: >>>>> On Tue, Oct 7, 2014 at 8:01 PM, William A. Mahaffey III >>>>> wrote: >>>>>> >>>>>> Over the last couple of days I am seeing some odd (to me) entries in my >>>>>> messages file: >>>>>> >>>>>> >>> >>> >>>>>> Oct 7 15:03:22 kabini1 kernel: Limiting closed port RST response from >>>>>> 295 >>>>>> to 200 packets/sec >>>>>> Oct 7 15:03:24 kabini1 kernel: Limiting closed port RST response from >>>>>> 324 >>>>>> to 200 packets/sec >>>>>> >>>>>> The stuff from Oct 2 is irrelevant, included for completeness/context. >>>>>> The >>>>>> lines about 'Limiting closed port ....' are puzzling to me. Where are >>>>>> they >>>>>> coming from ? Problem or chatter ? Enquiring minds wanna know ;-) .... >>>>>> TIA >>>>>> for any clues .... >>>>>> >>>>> AFAICT, someone is banging on your machine. >>>>> >>>>> What's your network environment look like? Are you directly connected >>>>> to the Internet, on a corporate network, or is this a home machine >>>>> behind a router/firewall? >>>>> >>>>> Kurt >>>>> >>> >>> >>>> SOHO, behind a 2-bit firewall device. I used to have a IPCop box, but it >>>> croaked a while back. I have a fair amount of firewalling active on this >>>> box, derived from the stock ipfw file, w/ a few mods for NFS, & that's >>>> it. I >>>> am seeing nothing on other boxen on my LAN, FWIW .... Suggested course of >>>> action ? >>> I'd approach this with tcpdump, and wireshark. >>> >>> Assuming you have only one NIC (em0) on this machine, I'd set up >>> something like this as root in a separate terminal/ssh session: >>> >>> tcpdump -npi em0 -C 1 -w /root/dumps/banger.pcap -W 100 >>> >>> This sets up a ring buffer where you'll get a maximum of 100 files of >>> 1,000,000 bytes each. >>> >>> Then, when you note those odd messages again, you'll be able to stop >>> the capture and correlate the time stamps of the messages and the >>> tcpdump capture files. Examining the capture files with wireshark >>> should make offending address(es) and/or port(s) stand out like a sore >>> thumb. >>> >>> Kurt >>> >> Hmmmmm .... OK. I had neither wireshark or tcpdump installed, so I did a pkg >> install as such, which begat another problem: > > >> i.e. either wireshark or tcpdump (or 1 of their dependencies) required linux >> compatibility packages. Unfortunately it installed linux-f10 (which I have >> manually deleted a couple of times now) & deleted linux-c6, the newer & >> preferred (AKAIK) packages :-/. I have posted on this problem earlier & was >> infoirmed that FBSD is right mid-stroke on transitioning from linux-f10 to >> linux-c6 pkgs. I guess the wireshark and/or tcpdump maintainers need to be >> advised to switch to linux-c6 instead of linux-f10 for whatever >> compatibility is required. If I manually delete the linux-f10 stuff & >> reinstall the linux-c6 stuff, do you think wireshark/tcpdump will notice the >> difference ? I will probably do that anyway & try it, but I would like any >> advice or wisdom on that matter. Thx & I am off to experiment .... > > No particular advice, except that tcpdump is native - no need to install that. > > However, Wireshark is so invaluable to me that I'd rather have that > than most other software - but that's just my preference as a sysadmin > using FreeBSD as an adjunct on the job where Windows predominates. > > OTOH, once you have the packet captures provided by tcpdump, they can > be moved/copied to another machine for analysis, if you happen to have > one. I often do this so that my FreeBSD machines can be freed to do > their normal monitoring tasks. > > Kurt > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > tcpdump was not installed by default (this is a desktop box, not a server, maybe the diff) .... In any event, I redressed the linux-f10/linux-c6 situation & so far, no issues .... yippee :-) !!!! -- William A. Mahaffey III ---------------------------------------------------------------------- "The M1 Garand is without doubt the finest implement of war ever devised by man." -- Gen. George S. Patton Jr.