From owner-freebsd-net@FreeBSD.ORG Mon Oct 27 12:43:31 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1C5EE25E; Mon, 27 Oct 2014 12:43:31 +0000 (UTC) Received: from valhalla.connectionlost.com.br (valhalla.connectionlost.com.br [131.72.200.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Tiago Felipe Gon????alves", Issuer "Tiago Felipe Gon????alves" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id AB4CFF1; Mon, 27 Oct 2014 12:43:30 +0000 (UTC) Received: from valhalla.connectionlost.com.br (valhalla [131.72.200.69]) by valhalla.connectionlost.com.br (Postfix) with ESMTP id 2B1BCB1918; Mon, 27 Oct 2014 10:43:24 -0200 (BRST) Authentication-Results: valhalla.connectionlost.com.br; dkim=pass reason="1024-bit key" header.d=connectionlost.com.br header.i=@connectionlost.com.br header.b=SskiO4Tg; dkim-adsp=pass Received: from [186.250.58.220] (unknown [186.250.58.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by valhalla.connectionlost.com.br (Postfix) with ESMTPSA id 57022B18DE; Mon, 27 Oct 2014 10:43:23 -0200 (BRST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=connectionlost.com.br; s=valhalla; t=1414413803; bh=RTcFyPwxT/3FPNOO5gp4Wf6jNOk46DBAEDDiZp6iAl8=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=SskiO4TgYvkfFNJvjIxibzQmzaBcW/9dQqgTgK/DnC83CP5ton0vNAKEH/Q12+do9 QT0gC9xN/LlBl65h4CNABthPWT1r4580oQNgD0Mla16xT3xUR8d17r+yx1GmP6jYA9 rUbz5mb0N2yDbUp0ZHDWzUzbF/Vfr54xoclCG7A4= Message-ID: <544E3DE8.2060602@connectionlost.com.br> Date: Mon, 27 Oct 2014 10:43:20 -0200 From: Tiago Felipe User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.0 MIME-Version: 1.0 To: Gary Palmer Subject: Re: dropped due to the socket References: <544E25E1.8060202@connectionlost.com.br> <544E2ACD.6060901@multiplay.co.uk> <544E2CF8.3090208@connectionlost.com.br> <20141027122116.GA6851@in-addr.com> In-Reply-To: <20141027122116.GA6851@in-addr.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0vl2onTpR3dQgfrdq9TsV8ORNXdt4tj9J" X-Virus-Scanned: ClamAV using ClamSMTP Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2014 12:43:31 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --0vl2onTpR3dQgfrdq9TsV8ORNXdt4tj9J Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Thanks for the explanation, net.inet.udp.log_in_vain was very well put, now I can debug better. I'll do some more tests and then come back here to the list. Thank you Steven and Gary. []s On 27/10/14 10:21, Gary Palmer wrote: > On Mon, Oct 27, 2014 at 09:31:04AM -0200, Tiago Felipe wrote: >> Maybe, but do not believe it, because when you turn it on, the counter= >=20 >=20 > Turn what on, exactly? >=20 >=20 >> "dropped due to the socket" has gradually increased, this machine acts= >=20 >=20 > Please provide the exact output from the "netstat -s -s" command that > you are talking about. There is no such statistic > "dropped due to the socket". >=20 >=20 >> as pppoe concentrator, mpd5 and netgraph .. >> I have clients with public IP and nat44. >> >> I'm doing tests yet, but I've read a lot about and looked for similar >> problems, could not come to a conclusion ... >=20 >=20 > If you are referring to "dropped due to no socket" it means that=20 > a UDP packet arrived for a port that had no socket listening on it. >=20 > If you are referring to another statistic please provide the *exact* > statistic >=20 > If you want to see what UDP requests are being dropped due to no > socket then run this as root: >=20 > sysctl net.inet.udp.log_in_vain=3D1 >=20 > it may produce a LOT of logs, so to turn it off again to: >=20 > sysctl net.inet.udp.log_in_vain=3D0 >=20 > The log_in_vain output should go to the console and anywhere in syslog > you have configured to receive kern.info syslog events. >=20 > If you have an idle system where the counter is not incrementing > and it is passing no traffic (a VM with no network would be ideal) > you can test the behaviour of the "dropped due to no socket" statistic = > yourself. >=20 > Run: >=20 > netstat -s -s | grep 'dropped due to no socket' > traceroute localhost > netstat -s -s | grep 'dropped due to no socket' >=20 > The 'dropped due to no socket' count should go up by 3, for the 3 > traceroute packets that tried to connect to a port that had no listenin= g > socket. You can use the net.inet.udp.log_in_vain sysctl to see the 3 > traceroute packets during the test if you are interested.=20 >=20 > If you aren't running any firewalls, then as Steve mentioned the most > likely reason is people scanning your box looking for vulnerabilities. = > e.g. I see people try to hit the SIP port (UDP 5060) every day on IPs > that don't run any SIP services. It's also possible that some > customer equipment is hitting ports on your PPPOE termination boxes > as the box is the "other end" of the PPPOE session and the customer > equipment is trying to use that "other end" for services, e.g. DNS, NTP= > or similar, even if your PPP session points them elsewhere for those > services >=20 > Regards, >=20 > Gary >=20 >> >> >> Thank you >> >> On 27/10/14 09:21, Steven Hartland wrote: >>> I assume you mean "dropped due to *no *socket" which means your seein= g >>> requests to a port which isn't open, possibly due to being port scann= ed? >>> >>> On 27/10/2014 11:00, Tiago Felipe wrote: >>>> Good afternoon! >>>> >>>> I have seen "dropped due to the socket" on multiple servers with >>>> Freebsd, this case is a Release 10. >>>> # Netstat -s -s >>>> ... >>>> 4614884 dropped due to the socket >>>> ... >>>> >>>> In this case the current flow is 700mbits download and 80mbits uploa= d, >>>> averaging 130kpps. >>>> >>>> I've done many changes in sysctl.conf and loader.conf, swapped hardw= are >>>> and have not had many improvements. >>>> >>>> Can anyone tell me the reason? I'm looking for it to weeks, but stil= l no >>>> result. >>>> >>>> >>>> Thank you so much. >>>> >>>> >>> >>> _______________________________________________ >>> freebsd-net@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org= " >> >> --=20 >> []s >> >=20 >=20 --=20 []s --0vl2onTpR3dQgfrdq9TsV8ORNXdt4tj9J Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUTj3rAAoJEMR7HC7H8wTJlioP/i9Hmeh4qsJB18w+hHIY0Nvv 9++jPfEa2V6/CzZpAZ+zVLVJJXyPdUSfVkslT/CdKBersnyLBFgoQ6t+D/P/g1dk T/QwBDB2aprDFsvQneF4mGhh4dziWcuHw35m2vjbd27ikzIjnkGy/HFmJ48Lbfup yo9dWeIrQTe78bEOz4spDHl7cWZNMCTvi5eDIn9aEdBfKjeCD9wo20YqQpGg+Ovg Shjg5KIQBIoMk80XhzQE5pKe4zQsx8b0LS2y7YsmT5djDq5ok2fCesIetGd7Ks1T HbGhv95vjHcKk1g3L77I10RcRwqctNLpmilI5gXbiAvQwmZY/egk0OW50rjmvNiR baiP0TR/jERM5NmVwcKiGzLOE6HFvPDciJpfaT/Y67veR74cJtQCCz4sg5hSjxDo 4J97ALt5b4YIGJDfjOuKXWa4nLl1NqXYWyet0R7pqaQ3DZTJosh13tUgnp7AWmsJ EixjqUryxqw80bjbqNcqsgk/JuA4m5gth0eSt8nJFTGr+hvrm6ttqtHflsW7IeBk kilCmDCsglab90XUW/QEGrhu/WRl58s9erK7ArktI5P0huA7I6I7DVj2HZ++5SCY 2LiVPJ9e3EsN0ISpWHoUQKn6NbB6svB6QJV5tjKHJgnVjzNVYm5LQGADcSZEdG9U hArmco4Fs4xnVncNK2dZ =DCD3 -----END PGP SIGNATURE----- --0vl2onTpR3dQgfrdq9TsV8ORNXdt4tj9J--