From owner-freebsd-questions@FreeBSD.ORG Sun Dec 20 22:31:43 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03043106566C for ; Sun, 20 Dec 2009 22:31:43 +0000 (UTC) (envelope-from dhorn2000@gmail.com) Received: from mail-fx0-f227.google.com (mail-fx0-f227.google.com [209.85.220.227]) by mx1.freebsd.org (Postfix) with ESMTP id 851668FC08 for ; Sun, 20 Dec 2009 22:31:42 +0000 (UTC) Received: by fxm27 with SMTP id 27so4284686fxm.3 for ; Sun, 20 Dec 2009 14:31:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=J3CgItoEseCHTYdBZFyXlLl2MdDq2kX8BGB6/51E1KM=; b=asSdtDDWF1kF6U7zxJsJh4dvvIE4dR9TmiXqEmkRBIWEStmHslOSQeLQTwgQTtwZW7 r8Eq2S7zoxMbOmU5hYviSoEe5m7OTAjfYB2KgExC5B15Weg8ebfs9tTUYWO6SrDSrXJC RtO/5yMerlRb87Y+iYDo/kOIF27AaBGebk7pY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Ky3LJJqJNxa7GxLAaZpai7U2Dvnq13zaFbDWyJ9vHxf8q7STFPS+fDQTCrQLNHFIpf 1d8IrapPDivqaPnX8X+9eHXqPFPiHInFA/X/6gpTh7gMaaVVKjzlcl+xDKijZ5HEeYGq ilr2EBxeI5WCLV8JzvShrJpeRSoA0F48FCbtc= MIME-Version: 1.0 Received: by 10.239.190.69 with SMTP id w5mr739886hbh.143.1261348301263; Sun, 20 Dec 2009 14:31:41 -0800 (PST) In-Reply-To: <4B2E7CEA.1020502@pixelhammer.com> References: <4B2E7CEA.1020502@pixelhammer.com> Date: Sun, 20 Dec 2009 17:31:41 -0500 Message-ID: <25ff90d60912201431p1e4e84fbhc1882dacdc6a1944@mail.gmail.com> From: David Horn To: DAve Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: User Questions Subject: Re: Source of closed port RST responses X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Dec 2009 22:31:43 -0000 On Sun, Dec 20, 2009 at 2:37 PM, DAve wrote: > I am routinely seeing these entries in one of my servers logs. > > Limiting closed port RST response from 373 to 200 packets/sec > > The server sits behind a PIX firewall, so I am suspicious of what is > trying to connect to a closed port. I don't see in any other logs what > port is being hit, or what IP is causing these log entries. > > Any way to tell what the source IP of these is? > > Try using tcpdump. You can redirect the decoded output to a log file as well. Make sure to replace "em0" in my example with the appropriate interface name. If the server is very busy, try just running it for a short period of time to make sure that it does not interrupt operations, then leave it running for whatever time period you want to monitor if all goes well. tcpdump -np -i em0 'tcp[13] & 4 != 0' The 'tcp[13] & 4 !=0' will cause the filter to only capture packets with the tcp flag RST set. man tcpdump or google for more examples of filters. Good Luck. ---Dave Horn