From owner-freebsd-questions  Tue Aug  7 18: 1:11 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from nyc.rr.com (nycsmtp2fb.rdc-nyc.rr.com [24.29.99.78])
	by hub.freebsd.org (Postfix) with ESMTP id 2EEEC37B40B
	for <questions@freebsd.org>; Tue,  7 Aug 2001 18:01:01 -0700 (PDT)
	(envelope-from jslivko@blinx.net)
Received: from equinox ([24.168.44.136]) by nyc.rr.com  with Microsoft SMTPSVC(5.5.1877.357.35);
	 Tue, 7 Aug 2001 21:00:59 -0400
From: "Jonathan M. Slivko" <jslivko@blinx.net>
To: "'Jim Freeze'" <jim@freeze.org>, <questions@freebsd.org>
Subject: RE: Why is my network so busy?
Date: Tue, 7 Aug 2001 21:01:28 -0400
Message-ID: <000601c11fa5$a7d0d2f0$8701a8c0@equinox>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
In-Reply-To: <Pine.BSF.4.32.0108071921570.23744-100000@www.stelesys.com>
Importance: Normal
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Probbably Code Red flowing through your network to find vulnerable
machines to hack. Same thing is happening here on my Road Runner
account. -- Jonathan

--
Jonathan M. Slivko <jslivko@blinx.net>
Blinx Networks, Inc.
http://www.blinx.net 

-----Original Message-----
From: owner-freebsd-questions@FreeBSD.ORG
[mailto:owner-freebsd-questions@FreeBSD.ORG] On Behalf Of Jim Freeze
Sent: Tuesday, August 07, 2001 7:29 PM
To: questions@freebsd.org
Subject: Why is my network so busy?

Hi:

I noticed that the light on my cable modem are flashing
constantly like my network is very busy.

My FBSD box acts as a firewall and a gateway.
Nothing is connected to the lan but a single, inactive, pc.

I'm afraid I don't know much about networks or how to debug
tcpdump, but I would appreciate if someone could glance
over the following snippet and tell me if there is anything
I need to be concerned about.

Thanks


tcpdump
19:25:59.974705 eeyore1.1692 > vdgh1.mia.xpc-mii.net.http: . ack 1 win
17520 (DF)
19:25:59.976092 eeyore1.1692 > vdgh1.mia.xpc-mii.net.http: P 1:370(369)
ack 1 win 17520 (DF)
19:26:00.046297 vdgh1.mia.xpc-mii.net.http > eeyore1.1692: . ack 370 win
64240 (DF)
19:26:00.046794 vdgh1.mia.xpc-mii.net.http > eeyore1.1692: P 1:48(47)
ack
370 win 64240 (DF)
19:26:00.047213 vdgh1.mia.xpc-mii.net.http > eeyore1.1692: P 48:87(39)
ack
370 win 64240 (DF)
19:26:00.060552 eeyore1.1692 > vdgh1.mia.xpc-mii.net.http: F 370:370(0)
ack 87 win 17520 (DF)
19:26:00.075043 arp who-has 65.8.166.182 tell 65.8.166.1
19:26:00.081904 arp who-has 65.8.166.75 tell 65.8.166.1
19:26:00.084998 arp who-has 65.8.166.12 tell 65.8.166.1
19:26:00.123547 vdgh1.mia.xpc-mii.net.http > eeyore1.1692: . ack 371 win
64240 (DF)
19:26:00.123994 vdgh1.mia.xpc-mii.net.http > eeyore1.1692: F 87:87(0)
ack
371 win 64240 (DF)
19:26:00.124141 eeyore1.1692 > vdgh1.mia.xpc-mii.net.http: . ack 88 win
17520 (DF)
19:26:00.127217 arp who-has ci845718-h.lxintn1.ky.home.com tell
24.14.41.1
19:26:00.127786 arp who-has 65.8.166.109 tell 65.8.166.1
19:26:00.135566 arp who-has 24.178.230.210 tell 24.178.230.1
19:26:00.151353 eeyore1.3775 > dns1.domain: 42860+ (45)
19:26:00.286186 dns1.domain > eeyore1.3775: 42860 NXDomain* 0/1/0 (129)
19:26:00.291819 eeyore1.3776 > dns1.domain: 42861+ (42)
19:26:00.396765 arp who-has 65.8.166.105 tell 65.8.166.1
19:26:00.456239 arp who-has 24.178.230.144 tell 24.178.230.1
19:26:00.569802 dns1.domain > eeyore1.3776: 42861 NXDomain* 0/1/0 (124)
19:26:00.582390 eeyore1.3777 > dns1.domain: 42862+ (43)
19:26:00.610029 arp who-has 24.178.230.102 tell 24.178.230.1
19:26:00.627598 arp who-has 24.178.230.211 tell 24.178.230.1
19:26:00.681116 dns1.domain > eeyore1.3777: 42862* 1/2/2 (183)
19:26:00.688916 eeyore1.3778 > dns1.domain: 42863+ (43)
19:26:00.785364 dns1.domain > eeyore1.3778: 42863 NXDomain* 0/1/0 (125)
19:26:00.791320 eeyore1.3779 > dns1.domain: 42864+ (43)
19:26:00.794975 arp who-has ct28536-a.lxintn1.ky.home.com tell
24.14.41.1
19:26:00.818941 arp who-has 65.8.166.36 tell 65.8.166.1
19:26:00.898762 dns1.domain > eeyore1.3779: 42864* 1/2/2 (183)
19:26:00.902201 eeyore1.3780 > dns1.domain: 42865+ (42)

eeyore1 is my machine.

The first few lines of netstat returns:

 netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address         Foreign Address       (state)
tcp        0      0 eeyore1.1890          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1889          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1888          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1887          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1886          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1885          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1884          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1883          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1882          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1881          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1880          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1879          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1878          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1877          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1875          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1874          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1873          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1872          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1871          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1870          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1869          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1868          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1867          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1866          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1865          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1864          vdgh1.mia.xpc-mi.http
TIME_WAIT
tcp        0      0 eeyore1.1810          64.14.52.217.http
CLOSE_WAIT
tcp        0      0 eeyore1.http          c22680-a.roalok1.3588
ESTABLISHED
tcp        0      0 eeyore1.982           bell.ssh
ESTABLISHED
tcp        0      0 eeyore1.49155         *.*                   LISTEN
tcp        0      0 eeyore1.http          *.*                   LISTEN
udp        0      0 eeyore.netbios-dgm    *.*

I don't know what this vdgh1 is.


=========================================================
Jim Freeze
jim@freeze.org
---------------------------------------------------------
No comment at this time.
http://www.freeze.org
=========================================================


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message