From owner-freebsd-net@FreeBSD.ORG Mon Oct 27 12:21:20 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1DE299E0; Mon, 27 Oct 2014 12:21:20 +0000 (UTC) Received: from mail.in-addr.com (mail.in-addr.com [IPv6:2a01:4f8:191:61e8::2525:2525]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D6B2BE08; Mon, 27 Oct 2014 12:21:19 +0000 (UTC) Received: from gjp by mail.in-addr.com with local (Exim 4.84 (FreeBSD)) (envelope-from ) id 1XijIS-0002Dh-4f; Mon, 27 Oct 2014 12:21:16 +0000 Date: Mon, 27 Oct 2014 12:21:16 +0000 From: Gary Palmer To: Tiago Felipe Subject: Re: dropped due to the socket Message-ID: <20141027122116.GA6851@in-addr.com> References: <544E25E1.8060202@connectionlost.com.br> <544E2ACD.6060901@multiplay.co.uk> <544E2CF8.3090208@connectionlost.com.br> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <544E2CF8.3090208@connectionlost.com.br> X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on mail.in-addr.com); SAEximRunCond expanded to false Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2014 12:21:20 -0000 On Mon, Oct 27, 2014 at 09:31:04AM -0200, Tiago Felipe wrote: > Maybe, but do not believe it, because when you turn it on, the counter Turn what on, exactly? > "dropped due to the socket" has gradually increased, this machine acts Please provide the exact output from the "netstat -s -s" command that you are talking about. There is no such statistic "dropped due to the socket". > as pppoe concentrator, mpd5 and netgraph .. > I have clients with public IP and nat44. > > I'm doing tests yet, but I've read a lot about and looked for similar > problems, could not come to a conclusion ... If you are referring to "dropped due to no socket" it means that a UDP packet arrived for a port that had no socket listening on it. If you are referring to another statistic please provide the *exact* statistic If you want to see what UDP requests are being dropped due to no socket then run this as root: sysctl net.inet.udp.log_in_vain=1 it may produce a LOT of logs, so to turn it off again to: sysctl net.inet.udp.log_in_vain=0 The log_in_vain output should go to the console and anywhere in syslog you have configured to receive kern.info syslog events. If you have an idle system where the counter is not incrementing and it is passing no traffic (a VM with no network would be ideal) you can test the behaviour of the "dropped due to no socket" statistic yourself. Run: netstat -s -s | grep 'dropped due to no socket' traceroute localhost netstat -s -s | grep 'dropped due to no socket' The 'dropped due to no socket' count should go up by 3, for the 3 traceroute packets that tried to connect to a port that had no listening socket. You can use the net.inet.udp.log_in_vain sysctl to see the 3 traceroute packets during the test if you are interested. If you aren't running any firewalls, then as Steve mentioned the most likely reason is people scanning your box looking for vulnerabilities. e.g. I see people try to hit the SIP port (UDP 5060) every day on IPs that don't run any SIP services. It's also possible that some customer equipment is hitting ports on your PPPOE termination boxes as the box is the "other end" of the PPPOE session and the customer equipment is trying to use that "other end" for services, e.g. DNS, NTP or similar, even if your PPP session points them elsewhere for those services Regards, Gary > > > Thank you > > On 27/10/14 09:21, Steven Hartland wrote: > > I assume you mean "dropped due to *no *socket" which means your seeing > > requests to a port which isn't open, possibly due to being port scanned? > > > > On 27/10/2014 11:00, Tiago Felipe wrote: > >> Good afternoon! > >> > >> I have seen "dropped due to the socket" on multiple servers with > >> Freebsd, this case is a Release 10. > >> # Netstat -s -s > >> ... > >> 4614884 dropped due to the socket > >> ... > >> > >> In this case the current flow is 700mbits download and 80mbits upload, > >> averaging 130kpps. > >> > >> I've done many changes in sysctl.conf and loader.conf, swapped hardware > >> and have not had many improvements. > >> > >> Can anyone tell me the reason? I'm looking for it to weeks, but still no > >> result. > >> > >> > >> Thank you so much. > >> > >> > > > > _______________________________________________ > > freebsd-net@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-net > > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > -- > []s >