Date: Tue, 16 Jun 1998 09:13:59 +0200 From: Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE> To: Doug White <dwhite@resnet.uoregon.edu> Cc: Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE>, freebsd-questions@freefall.cdrom.com Subject: Re: using tcpdump effectively Message-ID: <19980616091359.45134@gil.physik.rwth-aachen.de> In-Reply-To: <Pine.BSF.3.96.980615202757.2150D-100000@gdi.uoregon.edu>; from Doug White on Mon, Jun 15, 1998 at 08:29:47PM -0700 References: <199806151447.QAA29137@gilberto.physik.RWTH-Aachen.DE> <Pine.BSF.3.96.980615202757.2150D-100000@gdi.uoregon.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 15, 1998 at 08:29:47PM -0700, Doug White wrote: > On Mon, 15 Jun 1998, Christoph Kukulies wrote: > > > > > To trace down why some network based X11 sessions are spuriously failing > > I' trying to use tcpdump. > > > > What sporadically happens is that a X session to our Mentor Design Architect > > running on HP is ceased and the connection breaks (we login via rlogin > > and start the X client with DISPLAY set to the FreeBSD machine.) > > > > When the connection breaks we see something like 'no route to host' It seems that I have found the problem. I logged (tcpdump) all packets to and from the two hosts and this morning my colleague called me up and said it happened again. I peeked into my logs and found the following interesting passage right at the time it happened: 08:28:03.140374 monk.6000 > hp.1327: P 151773:151805(32) ack 661157 win 17520 ( DF) 08:28:03.151214 monk.6000 > hp.1327: P 151805:151837(32) ack 661157 win 17520 ( DF) 08:28:03.152081 arp who-has monk tell aca402a.physik.rwth-aachen.de 08:28:03.152336 arp reply monk is-at 0:40:95:24:d5:9b 08:28:03.152780 aca402a.physik.rwth-aachen.de > monk: icmp: host hp unreachable 08:28:03.163115 monk.6000 > hp.1327: P 151837:151869(32) ack 661157 win 17520 ( DF) 08:28:03.167881 hp.1327 > monk.6000: . ack 151869 win 7776 08:28:03.172922 monk.6000 > hp.1327: P 151869:151901(32) ack 661157 win 17520 ( DF) 08:28:03.185096 monk.6000 > hp.1327: P 151901:151933(32) ack 661157 win 17520 ( DF) Two things are interesting: monk (the X Display server (FreeBSD)) received a package from a host which shouldn't be involved at all (sniper hosts). This host is telling monk via icmp that hp is unreachable. I'd bet this is an old NT system (< 3.51). The address of that host is a name which consists of only hex digits - Maybe not important but you never know. I've sent a colleague through the building to take this host from the network. I'd bet it is an NT System < 3.51 (or in the worst case, a malign program ). > > Most likely the client is loosing the network connection to the host, > either by damage to the routing tables on the client or on an intermediate > network device. Run a traceroute to the HP box when MDA crashes and see if > it fails anywhere. > > > Could that be caused by denial of service attacks? What exactly is a denial > > of service attack? > > A denial of service attack (DoS) attempts to keep a machine from being > servicable by overwhelming it with requests or by disabling a server, > rending it useless. > > Doug White | University of Oregon > Internet: dwhite@resnet.uoregon.edu | Residence Networking Assistant > http://gladstone.uoregon.edu/~dwhite | Computer Science Major > NOTICE: Make sure your mailer replies to dwhite@resnet or I won't get it! > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- --Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980616091359.45134>