Date: Sun, 20 Dec 2009 17:31:41 -0500 From: David Horn <dhorn2000@gmail.com> To: DAve <dave.list@pixelhammer.com> Cc: User Questions <freebsd-questions@freebsd.org> Subject: Re: Source of closed port RST responses Message-ID: <25ff90d60912201431p1e4e84fbhc1882dacdc6a1944@mail.gmail.com> In-Reply-To: <4B2E7CEA.1020502@pixelhammer.com> References: <4B2E7CEA.1020502@pixelhammer.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 20, 2009 at 2:37 PM, DAve <dave.list@pixelhammer.com> wrote: > I am routinely seeing these entries in one of my servers logs. > > Limiting closed port RST response from 373 to 200 packets/sec > > The server sits behind a PIX firewall, so I am suspicious of what is > trying to connect to a closed port. I don't see in any other logs what > port is being hit, or what IP is causing these log entries. > > Any way to tell what the source IP of these is? > > Try using tcpdump. You can redirect the decoded output to a log file as well. Make sure to replace "em0" in my example with the appropriate interface name. If the server is very busy, try just running it for a short period of time to make sure that it does not interrupt operations, then leave it running for whatever time period you want to monitor if all goes well. tcpdump -np -i em0 'tcp[13] & 4 != 0' The 'tcp[13] & 4 !=0' will cause the filter to only capture packets with the tcp flag RST set. man tcpdump or google for more examples of filters. Good Luck. ---Dave Horn
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?25ff90d60912201431p1e4e84fbhc1882dacdc6a1944>