From owner-freebsd-questions@FreeBSD.ORG Wed Oct 8 14:15:07 2014 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 90846F98 for ; Wed, 8 Oct 2014 14:15:07 +0000 (UTC) Received: from mail-vc0-x22e.google.com (mail-vc0-x22e.google.com [IPv6:2607:f8b0:400c:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FA38667 for ; Wed, 8 Oct 2014 14:15:07 +0000 (UTC) Received: by mail-vc0-f174.google.com with SMTP id hq12so6659863vcb.5 for ; Wed, 08 Oct 2014 07:15:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=DUH/cy5xoszSTwoRyxj3ruBY1DY3RB+Kb5oLL8trlGw=; b=S2DhT/x9IRNiDTx6spPEOxW9eBKM4LP6Iarpwa/N64pRD5RgT7+B4It2XxXT8QbjIp 8H4E9Z1jFjcE+V/lvpvxqj2mYfY2NcDwIReGcTnVZT+/12UzjLG+ZZXxwZ4PNPCmQY/G wjQLALQrTU0SVQnr2sEpTi9fU/EFEiZM/krwp78bFbxrYYk5tq1ZX0EdEEvvY/44RzUM bjv9SjEIjgPbJjTvfpbTyej7WKctxNOO65qdn1p2IDskiJAA4kq7jK0N4c/QumzWkf2l ep+ZC8Sw5YgL/PcvjA4+2DNMhR0Z7f7NjDZT0Ig9wr5IPUqeZYVC9QjfovaaEln7hhlV 4BVA== MIME-Version: 1.0 X-Received: by 10.220.194.67 with SMTP id dx3mr10572406vcb.55.1412777706395; Wed, 08 Oct 2014 07:15:06 -0700 (PDT) Received: by 10.220.248.202 with HTTP; Wed, 8 Oct 2014 07:15:06 -0700 (PDT) In-Reply-To: <54353D4C.7080403@hiwaay.net> References: <5434A8F7.1090507@hiwaay.net> <5434AC3A.40707@hiwaay.net> <54353D4C.7080403@hiwaay.net> Date: Wed, 8 Oct 2014 07:15:06 -0700 Message-ID: Subject: Re: oddball syslog entries .... From: Kurt Buff To: "William A. Mahaffey III" Content-Type: text/plain; charset=UTF-8 Cc: FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2014 14:15:07 -0000 On Wed, Oct 8, 2014 at 6:34 AM, William A. Mahaffey III wrote: > On 10/07/14 23:11, Kurt Buff wrote: >> >> edited the message for clarity... >> >> On Tue, Oct 7, 2014 at 8:15 PM, William A. Mahaffey III >> wrote: >>> >>> On 10/07/14 22:01, Kurt Buff wrote: >>>> >>>> On Tue, Oct 7, 2014 at 8:01 PM, William A. Mahaffey III >>>> wrote: >>>>> >>>>> >>>>> Over the last couple of days I am seeing some odd (to me) entries in my >>>>> messages file: >>>>> >>>>> >> >> >>>>> Oct 7 15:03:22 kabini1 kernel: Limiting closed port RST response from >>>>> 295 >>>>> to 200 packets/sec >>>>> Oct 7 15:03:24 kabini1 kernel: Limiting closed port RST response from >>>>> 324 >>>>> to 200 packets/sec >>>>> >>>>> The stuff from Oct 2 is irrelevant, included for completeness/context. >>>>> The >>>>> lines about 'Limiting closed port ....' are puzzling to me. Where are >>>>> they >>>>> coming from ? Problem or chatter ? Enquiring minds wanna know ;-) .... >>>>> TIA >>>>> for any clues .... >>>>> >>>> AFAICT, someone is banging on your machine. >>>> >>>> What's your network environment look like? Are you directly connected >>>> to the Internet, on a corporate network, or is this a home machine >>>> behind a router/firewall? >>>> >>>> Kurt >>>> >> >> >>> SOHO, behind a 2-bit firewall device. I used to have a IPCop box, but it >>> croaked a while back. I have a fair amount of firewalling active on this >>> box, derived from the stock ipfw file, w/ a few mods for NFS, & that's >>> it. I >>> am seeing nothing on other boxen on my LAN, FWIW .... Suggested course of >>> action ? >> >> I'd approach this with tcpdump, and wireshark. >> >> Assuming you have only one NIC (em0) on this machine, I'd set up >> something like this as root in a separate terminal/ssh session: >> >> tcpdump -npi em0 -C 1 -w /root/dumps/banger.pcap -W 100 >> >> This sets up a ring buffer where you'll get a maximum of 100 files of >> 1,000,000 bytes each. >> >> Then, when you note those odd messages again, you'll be able to stop >> the capture and correlate the time stamps of the messages and the >> tcpdump capture files. Examining the capture files with wireshark >> should make offending address(es) and/or port(s) stand out like a sore >> thumb. >> >> Kurt >> > > Hmmmmm .... OK. I had neither wireshark or tcpdump installed, so I did a pkg > install as such, which begat another problem: > i.e. either wireshark or tcpdump (or 1 of their dependencies) required linux > compatibility packages. Unfortunately it installed linux-f10 (which I have > manually deleted a couple of times now) & deleted linux-c6, the newer & > preferred (AKAIK) packages :-/. I have posted on this problem earlier & was > infoirmed that FBSD is right mid-stroke on transitioning from linux-f10 to > linux-c6 pkgs. I guess the wireshark and/or tcpdump maintainers need to be > advised to switch to linux-c6 instead of linux-f10 for whatever > compatibility is required. If I manually delete the linux-f10 stuff & > reinstall the linux-c6 stuff, do you think wireshark/tcpdump will notice the > difference ? I will probably do that anyway & try it, but I would like any > advice or wisdom on that matter. Thx & I am off to experiment .... No particular advice, except that tcpdump is native - no need to install that. However, Wireshark is so invaluable to me that I'd rather have that than most other software - but that's just my preference as a sysadmin using FreeBSD as an adjunct on the job where Windows predominates. OTOH, once you have the packet captures provided by tcpdump, they can be moved/copied to another machine for analysis, if you happen to have one. I often do this so that my FreeBSD machines can be freed to do their normal monitoring tasks. Kurt