Date: Wed, 08 Oct 2014 09:55:18 -0500 From: "William A. Mahaffey III" <wam@hiwaay.net> Cc: FreeBSD Questions <questions@freebsd.org> Subject: Re: oddball syslog entries .... Message-ID: <54355056.2080509@hiwaay.net> In-Reply-To: <CADy1Ce7=SyMwfYMLwguVp3MuMkLSa7R2L6Qpt1ROwMs-kWVfzA@mail.gmail.com> References: <5434A8F7.1090507@hiwaay.net> <CADy1Ce5OJ94MBZPk4F-R3CRn8veYLmLP3Zqp07QC0bDCg49oag@mail.gmail.com> <5434AC3A.40707@hiwaay.net> <CADy1Ce4pSdgzH2z%2B=Oq4DgrRhawTf_YQCi-Q5GKwAmAoJb2x-Q@mail.gmail.com> <54353D4C.7080403@hiwaay.net> <CADy1Ce7=SyMwfYMLwguVp3MuMkLSa7R2L6Qpt1ROwMs-kWVfzA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/08/14 09:15, Kurt Buff wrote: > On Wed, Oct 8, 2014 at 6:34 AM, William A. Mahaffey III <wam@hiwaay.net> wrote: >> On 10/07/14 23:11, Kurt Buff wrote: >>> edited the message for clarity... >>> >>> On Tue, Oct 7, 2014 at 8:15 PM, William A. Mahaffey III <wam@hiwaay.net> >>> wrote: >>>> On 10/07/14 22:01, Kurt Buff wrote: >>>>> On Tue, Oct 7, 2014 at 8:01 PM, William A. Mahaffey III <wam@hiwaay.net> >>>>> wrote: >>>>>> >>>>>> Over the last couple of days I am seeing some odd (to me) entries in my >>>>>> messages file: >>>>>> >>>>>> >>> <snipppety> >>> >>>>>> Oct 7 15:03:22 kabini1 kernel: Limiting closed port RST response from >>>>>> 295 >>>>>> to 200 packets/sec >>>>>> Oct 7 15:03:24 kabini1 kernel: Limiting closed port RST response from >>>>>> 324 >>>>>> to 200 packets/sec >>>>>> >>>>>> The stuff from Oct 2 is irrelevant, included for completeness/context. >>>>>> The >>>>>> lines about 'Limiting closed port ....' are puzzling to me. Where are >>>>>> they >>>>>> coming from ? Problem or chatter ? Enquiring minds wanna know ;-) .... >>>>>> TIA >>>>>> for any clues .... >>>>>> >>>>> AFAICT, someone is banging on your machine. >>>>> >>>>> What's your network environment look like? Are you directly connected >>>>> to the Internet, on a corporate network, or is this a home machine >>>>> behind a router/firewall? >>>>> >>>>> Kurt >>>>> >>> <snippety> >>> >>>> SOHO, behind a 2-bit firewall device. I used to have a IPCop box, but it >>>> croaked a while back. I have a fair amount of firewalling active on this >>>> box, derived from the stock ipfw file, w/ a few mods for NFS, & that's >>>> it. I >>>> am seeing nothing on other boxen on my LAN, FWIW .... Suggested course of >>>> action ? >>> I'd approach this with tcpdump, and wireshark. >>> >>> Assuming you have only one NIC (em0) on this machine, I'd set up >>> something like this as root in a separate terminal/ssh session: >>> >>> tcpdump -npi em0 -C 1 -w /root/dumps/banger.pcap -W 100 >>> >>> This sets up a ring buffer where you'll get a maximum of 100 files of >>> 1,000,000 bytes each. >>> >>> Then, when you note those odd messages again, you'll be able to stop >>> the capture and correlate the time stamps of the messages and the >>> tcpdump capture files. Examining the capture files with wireshark >>> should make offending address(es) and/or port(s) stand out like a sore >>> thumb. >>> >>> Kurt >>> >> Hmmmmm .... OK. I had neither wireshark or tcpdump installed, so I did a pkg >> install as such, which begat another problem: > <snip> > >> i.e. either wireshark or tcpdump (or 1 of their dependencies) required linux >> compatibility packages. Unfortunately it installed linux-f10 (which I have >> manually deleted a couple of times now) & deleted linux-c6, the newer & >> preferred (AKAIK) packages :-/. I have posted on this problem earlier & was >> infoirmed that FBSD is right mid-stroke on transitioning from linux-f10 to >> linux-c6 pkgs. I guess the wireshark and/or tcpdump maintainers need to be >> advised to switch to linux-c6 instead of linux-f10 for whatever >> compatibility is required. If I manually delete the linux-f10 stuff & >> reinstall the linux-c6 stuff, do you think wireshark/tcpdump will notice the >> difference ? I will probably do that anyway & try it, but I would like any >> advice or wisdom on that matter. Thx & I am off to experiment .... > > No particular advice, except that tcpdump is native - no need to install that. > > However, Wireshark is so invaluable to me that I'd rather have that > than most other software - but that's just my preference as a sysadmin > using FreeBSD as an adjunct on the job where Windows predominates. > > OTOH, once you have the packet captures provided by tcpdump, they can > be moved/copied to another machine for analysis, if you happen to have > one. I often do this so that my FreeBSD machines can be freed to do > their normal monitoring tasks. > > Kurt > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > tcpdump was not installed by default (this is a desktop box, not a server, maybe the diff) .... In any event, I redressed the linux-f10/linux-c6 situation & so far, no issues .... yippee :-) !!!! -- William A. Mahaffey III ---------------------------------------------------------------------- "The M1 Garand is without doubt the finest implement of war ever devised by man." -- Gen. George S. Patton Jr.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54355056.2080509>