From owner-freebsd-questions Mon Jun 1 18:38:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA02461 for freebsd-questions-outgoing; Mon, 1 Jun 1998 18:38:31 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from freebie.lemis.com (freebie.lemis.com [139.130.136.133]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA02350 for ; Mon, 1 Jun 1998 18:38:06 -0700 (PDT) (envelope-from grog@freebie.lemis.com) Received: (from grog@localhost) by freebie.lemis.com (8.9.0/8.9.0) id LAA03406; Tue, 2 Jun 1998 11:07:25 +0930 (CST) Message-ID: <19980602110725.A22406@freebie.lemis.com> Date: Tue, 2 Jun 1998 11:07:25 +0930 From: Greg Lehey To: Doug White , Alexander Kandelaki Cc: freebsd-questions@FreeBSD.ORG Subject: Re: STRANGE from NETSTAT :(( References: <35729C7D.3426@sanet.ge> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i In-Reply-To: ; from Doug White on Mon, Jun 01, 1998 at 02:42:22PM -0700 WWW-Home-Page: http://www.lemis.com/~grog Organization: LEMIS, PO Box 460, Echunga SA 5153, Australia Phone: +61-8-8388-8286 Fax: +61-8-8388-8725 Mobile: +61-41-739-7062 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 1 June 1998 at 14:42:22 -0700, Doug White wrote: > On Mon, 1 Jun 1998, Alexander Kandelaki wrote: > >> I just run command netstat on my FreeBSD-2.2.5 system and get >> the strange results.: >> What is it ? Someone enters on my system ?? > > Looks ok to me. What bothers you, specifically? Well, let's take this display, demangle it and replace the header line, and we get: Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 access.smtp tdv4.star.net.uk.18516 TIME_WAIT tcp 0 0 access.pop3 ppp36-tc1.1026 TIME_WAIT tcp 0 0 access.3120 208.239.36.131.smtp TIME_WAIT tcp 0 0 access.3118 209.117.182.2.smtp TIME_WAIT tcp 70 -265816412 0.239.8.241.glogger 144.70.8.241.6215 CLOSED tcp 1078 -265861860 128.248.7.241.glogger 16.203.254.240.4328 -265849128 tcp 259 -266060032 128.45.8.241.glogger 16.129.7.241.37032 CLOSED tcp 405 -266141856 128.222.241.240.glogge 144.96.8.241.6215 -265869460 tcp 4 -266140584 access.pop3 144.122.7.241.1027 -265858800 tcp 25 -265882920 access.3131 16.95.231.240.25 -265774092 tcp 4289 -266149744 access.3134 16.89.254.240.25 CLOSED tcp 0 -266058732 access.pop3 16.91.255.240.2050 CLOSED* tcp 29 -266199928 access.3050 16.224.7.241.25 CLOSED udp 0 0 localhost.domain *.* udp 0 0 access.domain *.* BTW, Alexander, your message looked so illegible that I originally didn't bother to reply. I know it's a good idea to wrap text, but never do it it with tables or log output. In any case, this display is only 78 characters wide, so there's no need to wrap. More suggestions at http://www.lemis.com/email.html. Doug, I think this looks anything than OK. We have send queue values which are large negative values. The local address in many cases is just plain ridiculous, and the state is also messed up. Under the circumstances, I'd expect the receive queue values to be bogus as well. Alexander, this looks like severe corruption somewhere in the kernel. There's also the possibility that you're running the wrong version of netstat, but that would not explain why some entries are correct. Is the machine still running correctly? I'd certainly consider a reboot at some time, along with careful monitoring of the net status. Greg -- See complete headers for address and phone numbers finger grog@lemis.com for PGP public key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message