Date: Thu, 30 Dec 2004 18:23:49 +0100 From: "Florian Hengstberger" <e0025265@student.tuwien.ac.at> To: FreeBSD mailinglist <freebsd-questions@freebsd.org> Subject: Hostname lookups? (tcpdump output) Message-ID: <i9jpnp.b39ana@webmail.tuwien.ac.at>
next in thread | raw e-mail | index | archive | help
Hi! I'm currently keeping track off all packets comming from my ISP using tcpdump. I have a limited transfer rate and I'm wondering why there's still (around 100KB per min) traffic although I have no network connections open to the outside world. So netstat gives me: Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 lazarus.49201 hpat989.external.http TIME_WAIT tcp4 0 0 lazarus.49199 66.102.9.104.http ESTABLISHED tcp4 0 0 localhost.smtp *.* LISTEN udp4 0 0 localhost.49158 localhost.ntp udp4 0 0 localhost.ntp *.* udp4 0 0 lazarus.ntp *.* When I run tcpdump I get the following: 18:15:20.016995 arp who-has 62.116.56.99 tell 62.116.56.1 18:15:20.298713 lazarus.home.49562 > ns1.wwpa.com.domain: 46387+ PTR? 99.56.116.62.in-addr.arpa. (43) 18:15:20.347945 ns1.wwpa.com.domain > lazarus.home.49562: 46387 NXDomain* 0/0/0 (43) 18:15:20.348224 lazarus.home.49563 > ns1.wwpa.com.domain: 46388+ PTR? 1.56.116.62.in-addr.arpa. (42) 18:15:20.388817 ns1.wwpa.com.domain > lazarus.home.49563: 46388 NXDomain* 0/0/0 (42) 18:15:21.388378 lazarus.home.49564 > ns1.wwpa.com.domain: 46389+ PTR? 193.33.116.62.in-addr.arpa. (44) 18:15:21.400068 ns1.wwpa.com.domain > lazarus.home.49564: 46389 1/0/0 (70) 18:15:22.432207 arp who-has 62.116.56.98 tell 62.116.56.1 18:15:23.398410 lazarus.home.49565 > ns1.wwpa.com.domain: 46390+ PTR? 98.56.116.62.in-addr.arpa. (43) 18:15:23.456830 ns1.wwpa.com.domain > lazarus.home.49565: 46390 NXDomain* 0/0/0 (43) 18:15:25.191614 arp who-has 62.116.56.19 tell 62.116.56.1 18:15:25.386242 arp who-has 62.116.56.98 tell 62.116.56.1 18:15:25.448443 lazarus.home.49566 > ns1.wwpa.com.domain: 46391+ PTR? 19.56.116.62.in-addr.arpa. (43) 18:15:25.494756 ns1.wwpa.com.domain > lazarus.home.49566: 46391 NXDomain* 0/0/0 (43) 18:15:28.109842 arp who-has 62.116.56.19 tell 62.116.56.1 First question: The arp-query seems to be ok and unavoidable, but what about the connections to ns1.wwpa.com.domain? Look like a reverese dns lookup to me or something? Why is this, is this dangerous, how can I avoid this? Why does the this connection not appear in netstat?? I use the standard client firewall, that's my /etc/rc.conf: #setup the network hostname="lazarus.home" ifconfig_sis0="inet 62.116.56.107 netmask 255.255.255.128" defaultrouter="62.116.56.1" #ipv6_enable="YES" #enable the standard firewall firewall_enable="YES" firewall_type="client" firewall_quiet="NO" firewall_logging="YES" #enable services sshd_enable="YES" ntpd_enable="YES" ntpd_flags="-c /etc/ntp.conf" #system settings keymap="german.iso" #linux_enable="YES" moused_enable="YES" Secondly: I'm only running ntp and ssh (and mozilla), why is a socket listening on the smtp port? Thanks in advance Florian PS: Sorry for the output of netstat and tcpdump
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?i9jpnp.b39ana>