Date: Wed, 8 Oct 2014 07:15:06 -0700 From: Kurt Buff <kurt.buff@gmail.com> To: "William A. Mahaffey III" <wam@hiwaay.net> Cc: FreeBSD Questions <questions@freebsd.org> Subject: Re: oddball syslog entries .... Message-ID: <CADy1Ce7=SyMwfYMLwguVp3MuMkLSa7R2L6Qpt1ROwMs-kWVfzA@mail.gmail.com> In-Reply-To: <54353D4C.7080403@hiwaay.net> References: <5434A8F7.1090507@hiwaay.net> <CADy1Ce5OJ94MBZPk4F-R3CRn8veYLmLP3Zqp07QC0bDCg49oag@mail.gmail.com> <5434AC3A.40707@hiwaay.net> <CADy1Ce4pSdgzH2z%2B=Oq4DgrRhawTf_YQCi-Q5GKwAmAoJb2x-Q@mail.gmail.com> <54353D4C.7080403@hiwaay.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 8, 2014 at 6:34 AM, William A. Mahaffey III <wam@hiwaay.net> wrote: > On 10/07/14 23:11, Kurt Buff wrote: >> >> edited the message for clarity... >> >> On Tue, Oct 7, 2014 at 8:15 PM, William A. Mahaffey III <wam@hiwaay.net> >> wrote: >>> >>> On 10/07/14 22:01, Kurt Buff wrote: >>>> >>>> On Tue, Oct 7, 2014 at 8:01 PM, William A. Mahaffey III <wam@hiwaay.net> >>>> wrote: >>>>> >>>>> >>>>> Over the last couple of days I am seeing some odd (to me) entries in my >>>>> messages file: >>>>> >>>>> >> <snipppety> >> >>>>> Oct 7 15:03:22 kabini1 kernel: Limiting closed port RST response from >>>>> 295 >>>>> to 200 packets/sec >>>>> Oct 7 15:03:24 kabini1 kernel: Limiting closed port RST response from >>>>> 324 >>>>> to 200 packets/sec >>>>> >>>>> The stuff from Oct 2 is irrelevant, included for completeness/context. >>>>> The >>>>> lines about 'Limiting closed port ....' are puzzling to me. Where are >>>>> they >>>>> coming from ? Problem or chatter ? Enquiring minds wanna know ;-) .... >>>>> TIA >>>>> for any clues .... >>>>> >>>> AFAICT, someone is banging on your machine. >>>> >>>> What's your network environment look like? Are you directly connected >>>> to the Internet, on a corporate network, or is this a home machine >>>> behind a router/firewall? >>>> >>>> Kurt >>>> >> <snippety> >> >>> SOHO, behind a 2-bit firewall device. I used to have a IPCop box, but it >>> croaked a while back. I have a fair amount of firewalling active on this >>> box, derived from the stock ipfw file, w/ a few mods for NFS, & that's >>> it. I >>> am seeing nothing on other boxen on my LAN, FWIW .... Suggested course of >>> action ? >> >> I'd approach this with tcpdump, and wireshark. >> >> Assuming you have only one NIC (em0) on this machine, I'd set up >> something like this as root in a separate terminal/ssh session: >> >> tcpdump -npi em0 -C 1 -w /root/dumps/banger.pcap -W 100 >> >> This sets up a ring buffer where you'll get a maximum of 100 files of >> 1,000,000 bytes each. >> >> Then, when you note those odd messages again, you'll be able to stop >> the capture and correlate the time stamps of the messages and the >> tcpdump capture files. Examining the capture files with wireshark >> should make offending address(es) and/or port(s) stand out like a sore >> thumb. >> >> Kurt >> > > Hmmmmm .... OK. I had neither wireshark or tcpdump installed, so I did a pkg > install as such, which begat another problem: <snip> > i.e. either wireshark or tcpdump (or 1 of their dependencies) required linux > compatibility packages. Unfortunately it installed linux-f10 (which I have > manually deleted a couple of times now) & deleted linux-c6, the newer & > preferred (AKAIK) packages :-/. I have posted on this problem earlier & was > infoirmed that FBSD is right mid-stroke on transitioning from linux-f10 to > linux-c6 pkgs. I guess the wireshark and/or tcpdump maintainers need to be > advised to switch to linux-c6 instead of linux-f10 for whatever > compatibility is required. If I manually delete the linux-f10 stuff & > reinstall the linux-c6 stuff, do you think wireshark/tcpdump will notice the > difference ? I will probably do that anyway & try it, but I would like any > advice or wisdom on that matter. Thx & I am off to experiment .... No particular advice, except that tcpdump is native - no need to install that. However, Wireshark is so invaluable to me that I'd rather have that than most other software - but that's just my preference as a sysadmin using FreeBSD as an adjunct on the job where Windows predominates. OTOH, once you have the packet captures provided by tcpdump, they can be moved/copied to another machine for analysis, if you happen to have one. I often do this so that my FreeBSD machines can be freed to do their normal monitoring tasks. Kurt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADy1Ce7=SyMwfYMLwguVp3MuMkLSa7R2L6Qpt1ROwMs-kWVfzA>