oddball syslog entries ....

William A. Mahaffey III wam at hiwaay.net
Wed Oct 8 13:27:59 UTC 2014 

On 10/07/14 23:11, Kurt Buff wrote:
> edited the message for clarity...
>
> On Tue, Oct 7, 2014 at 8:15 PM, William A. Mahaffey III <wam at hiwaay.net> wrote:
>> On 10/07/14 22:01, Kurt Buff wrote:
>>> On Tue, Oct 7, 2014 at 8:01 PM, William A. Mahaffey III <wam at hiwaay.net>
>>> wrote:
>>>>
>>>> Over the last couple of days I am seeing some odd (to me) entries in my
>>>> messages file:
>>>>
>>>>
> <snipppety>
>
>>>> Oct  7 15:03:22 kabini1 kernel: Limiting closed port RST response from
>>>> 295
>>>> to 200 packets/sec
>>>> Oct  7 15:03:24 kabini1 kernel: Limiting closed port RST response from
>>>> 324
>>>> to 200 packets/sec
>>>>
>>>> The stuff from Oct 2 is irrelevant, included for completeness/context.
>>>> The
>>>> lines about 'Limiting closed port ....' are puzzling to me. Where are
>>>> they
>>>> coming from ? Problem or chatter ? Enquiring minds wanna know ;-) ....
>>>> TIA
>>>> for any clues ....
>>>>
>>> AFAICT, someone is banging on your machine.
>>>
>>> What's your network environment look like? Are you directly connected
>>> to the Internet, on a corporate network, or is this a home machine
>>> behind a router/firewall?
>>>
>>> Kurt
>>>
> <snippety>
>
>> SOHO, behind a 2-bit firewall device. I used to have a IPCop box, but it
>> croaked a while back. I have a fair amount of firewalling active on this
>> box, derived from the stock ipfw file, w/ a few mods for NFS, & that's it. I
>> am seeing nothing on other boxen on my LAN, FWIW .... Suggested course of
>> action ?
> I'd approach this with tcpdump, and wireshark.
>
> Assuming you have only one NIC (em0) on this machine, I'd set up
> something like this as root in a separate terminal/ssh session:
>
>     tcpdump -npi em0 -C 1 -w /root/dumps/banger.pcap -W 100
>
> This sets up a ring buffer where you'll get a maximum of 100 files of
> 1,000,000 bytes each.
>
> Then, when you note those odd messages again, you'll be able to stop
> the capture and correlate the time stamps of the messages and the
> tcpdump capture files. Examining the capture files with wireshark
> should make offending address(es) and/or port(s) stand out like a sore
> thumb.
>
> Kurt
>

Hmmmmm .... OK. I had neither wireshark or tcpdump installed, so I did a 
pkg install as such, which begat another problem:


[root at kabini1, /etc, 8:21:10am] 699 % pkg install -y wireshark tcpdump
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
Updating FreeBSD_new_xorg repository catalogue...
Fetching meta.txz: 100%   968 B   1.0k/s    00:01
Fetching digests.txz: 100%   68 kB  69.7k/s    00:01
Fetching packagesite.txz: 100%  189 kB 193.5k/s    00:01
Removing expired repository entries: 100%
Processing new repository entries: 100%
FreeBSD_new_xorg repository update completed. 781 packages processed:
   381 updated, 6 removed and 14 added.
Updating database digests format: 100%
New version of pkg detected; it needs to be installed first.
The following 1 packages will be affected (of 0 checked):

Installed packages to be UPGRADED:
         pkg: 1.3.8_2 -> 1.3.8_3 [FreeBSD_new_xorg]

2 MB to be downloaded.
Fetching pkg-1.3.8_3.txz: 100%    2 MB 226.3k/s    00:09
Checking integrity... done (0 conflicting)
[1/1] Upgrading pkg from 1.3.8_2 to 1.3.8_3: 100%
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
Updating FreeBSD_new_xorg repository catalogue...
FreeBSD_new_xorg repository is up-to-date.
All repositories are up-to-date.
The following 19 packages will be affected (of 0 checked):

New packages to be INSTALLED:
         wireshark: 1.12.1 [FreeBSD]
         linux-f10-xorg-libs: 7.4_1 [FreeBSD]
         linux-f10-fontconfig: 2.6.0_1 [FreeBSD]
         linux-f10-expat: 2.0.1_1 [FreeBSD]
         linux_base-f10: 10_7 [FreeBSD]
         linux-f10-pango: 1.28.3_1 [FreeBSD]
         linux-f10-png: 1.2.37_2 [FreeBSD]
         linux-f10-cairo: 1.8.0_3 [FreeBSD]
         linux-f10-gtk2: 2.14.7_5 [FreeBSD]
         linux-f10-tiff: 3.8.2 [FreeBSD]
         linux-f10-jpeg: 6b [FreeBSD]
         linux-f10-atk: 1.24.0_1 [FreeBSD]
         gtk3: 3.8.8_1 [FreeBSD]
         colord: 1.0.1_3 [FreeBSD]
         at-spi2-atk: 2.8.0_1 [FreeBSD]
         at-spi2-core: 2.8.0_1 [FreeBSD]
         libsmi: 0.4.8_1 [FreeBSD]
         adns: 1.4_2 [FreeBSD]
         tcpdump: 4.5.1 [FreeBSD]

The process will require 303 MB more space.
44 MB to be downloaded.
Fetching wireshark-1.12.1.txz: 100%   14 MB 365.8k/s    00:40
Fetching linux-f10-xorg-libs-7.4_1.txz: 100%    1 MB 317.0k/s 00:05
Fetching linux-f10-fontconfig-2.6.0_1.txz: 100%  118 kB 121.2k/s 00:01
Fetching linux-f10-expat-2.0.1_1.txz: 100%   65 kB  67.2k/s 00:01
Fetching linux_base-f10-10_7.txz: 100%   16 MB 363.2k/s    00:48
Fetching linux-f10-pango-1.28.3_1.txz: 100%  274 kB 281.5k/s 00:01
Fetching linux-f10-gtk2-2.14.7_5.txz: 100%    3 MB 351.1k/s 00:09
Fetching linux-f10-tiff-3.8.2.txz: 100%  241 kB 247.7k/s    00:01
Fetching linux-f10-jpeg-6b.txz: 100%  115 kB 118.2k/s    00:01
Fetching linux-f10-atk-1.24.0_1.txz: 100%  143 kB 146.4k/s 00:01
Fetching gtk3-3.8.8_1.txz: 100%    5 MB 343.2k/s    00:16
Fetching colord-1.0.1_3.txz: 100%  409 kB 419.3k/s    00:01
Fetching at-spi2-atk-2.8.0_1.txz: 100%   56 kB  58.3k/s    00:01
Fetching at-spi2-core-2.8.0_1.txz: 100%  213 kB 218.2k/s    00:01
Fetching libsmi-0.4.8_1.txz: 100%    1 MB 334.4k/s    00:06
Fetching adns-1.4_2.txz: 100%  103 kB 105.5k/s    00:01
Fetching tcpdump-4.5.1.txz: 100%  305 kB 312.7k/s    00:01
Checking integrity... done (11 conflicting)
Checking integrity... done (0 conflicting)
Conflicts with the existing packages have been found.
One more solver iteration is needed to resolve them.
The following 40 packages will be affected (of 0 checked):

Installed packages to be REMOVED:
         linux_base-c6-6.5_1
         linux-c6-expat-2.0.1
         linux-c6-fontconfig-2.8.0
         linux-c6-xorg-libs-7.4
         linux-c6-flashplugin-11.2r202.406
         linux-c6-gtk2-2.20.1
         linux-c6-pango-1.28.1
         linux-c6-curl-7.19.7
         linux-c6-cairo-1.8.8
         linux-c6-tiff-3.9.4
         linux-c6-libssh2-1.4.2
         linux-c6-nss-3.16.1
         linux-c6-atk-1.30.0
         linux-c6-png-1.2.49
         linux-c6-jpeg-1.2.1
         linux-c6-openssl-1.0.1e
         linux-c6-openldap-2.4.23
         linux-c6-openssl-compat-0.9.8e
         linux-c6-cyrus-sasl2-2.1.23
         linux-c6-nspr-4.10.0
         linux-c6-sqlite-3.6.20

New packages to be INSTALLED:
         linux_base-f10: 10_7 [FreeBSD]
         linux-f10-expat: 2.0.1_1 [FreeBSD]
         linux-f10-fontconfig: 2.6.0_1 [FreeBSD]
         linux-f10-xorg-libs: 7.4_1 [FreeBSD]
         linux-f10-png: 1.2.37_2 [FreeBSD]
         at-spi2-core: 2.8.0_1 [FreeBSD]
         linux-f10-cairo: 1.8.0_3 [FreeBSD]
         linux-f10-jpeg: 6b [FreeBSD]
         colord: 1.0.1_3 [FreeBSD]
         at-spi2-atk: 2.8.0_1 [FreeBSD]
         linux-f10-pango: 1.28.3_1 [FreeBSD]
         linux-f10-tiff: 3.8.2 [FreeBSD]
         linux-f10-atk: 1.24.0_1 [FreeBSD]
         gtk3: 3.8.8_1 [FreeBSD]
         libsmi: 0.4.8_1 [FreeBSD]
         adns: 1.4_2 [FreeBSD]
         wireshark: 1.12.1 [FreeBSD]
         linux-f10-gtk2: 2.14.7_5 [FreeBSD]
         tcpdump: 4.5.1 [FreeBSD]

The process will require 82 MB more space.

You may need to do by hand:
   o  unmount linprocfs if mounted
   o  delete /compat/linux/proc if present
   o  remove/comment linprocfs from /etc/fstab if present

[1/40] Deleting linux_base-c6-6.5_1:   3%
pkg: /compat/linux/etc/ld.so.cache fails original SHA256 checksum, not 
removing
[1/40] Deleting linux_base-c6-6.5_1: 100%
[2/40] Deleting linux-c6-expat-2.0.1: 100%
/compat/linux/sbin/ldconfig: not found
pkg: POST-DEINSTALL script failed
[3/40] Deleting linux-c6-fontconfig-2.8.0: 100%
/compat/linux/sbin/ldconfig: not found
pkg: POST-DEINSTALL script failed
[4/40] Deleting linux-c6-xorg-libs-7.4: 100%
/compat/linux/sbin/ldconfig: not found
pkg: POST-DEINSTALL script failed
[5/40] Deleting linux-c6-atk-1.30.0: 100%
/compat/linux/sbin/ldconfig: not found
pkg: POST-DEINSTALL script failed
[6/40] Deleting linux-c6-png-1.2.49: 100%
/compat/linux/sbin/ldconfig: not found
pkg: POST-DEINSTALL script failed
[7/40] Deleting linux-c6-jpeg-1.2.1: 100%
/compat/linux/sbin/ldconfig: not found
pkg: POST-DEINSTALL script failed
[8/40] Deleting linux-c6-flashplugin-11.2r202.406: 100%
[9/40] Deleting linux-c6-gtk2-2.20.1: 100%
/compat/linux/sbin/ldconfig: not found
pkg: POST-DEINSTALL script failed
[10/40] Installing linux_base-f10-10_7: 100%

Running linux ldconfig...
[11/40] Deleting linux-c6-pango-1.28.1: 100%
[12/40] Installing linux-f10-expat-2.0.1_1: 100%
[13/40] Deleting linux-c6-cairo-1.8.8: 100%
[14/40] Installing linux-f10-fontconfig-2.6.0_1: 100%
[15/40] Deleting linux-c6-curl-7.19.7: 100%
[16/40] Installing linux-f10-xorg-libs-7.4_1: 100%
[17/40] Installing linux-f10-png-1.2.37_2: 100%
[18/40] Installing at-spi2-core-2.8.0_1: 100%
[19/40] Deleting linux-c6-tiff-3.9.4: 100%
[20/40] Deleting linux-c6-libssh2-1.4.2: 100%
[21/40] Deleting linux-c6-nss-3.16.1: 100%
[22/40] Installing linux-f10-cairo-1.8.0_3: 100%
[23/40] Installing linux-f10-jpeg-6b: 100%
===> Creating users and/or groups.
Creating group 'colord' with gid '970'.
Creating user 'colord' with uid '970'.
[24/40] Installing colord-1.0.1_3: 100%
[25/40] Installing at-spi2-atk-2.8.0_1: 100%
[26/40] Deleting linux-c6-openssl-1.0.1e: 100%
[27/40] Deleting linux-c6-openldap-2.4.23: 100%
[28/40] Deleting linux-c6-openssl-compat-0.9.8e: 100%
[29/40] Deleting linux-c6-cyrus-sasl2-2.1.23: 100%
[30/40] Deleting linux-c6-nspr-4.10.0: 100%
[31/40] Deleting linux-c6-sqlite-3.6.20: 100%
[32/40] Installing linux-f10-pango-1.28.3_1: 100%

(pango-querymodules-32:4899): GLib-WARNING **: getpwuid_r(): failed due 
to unknown user id (0)
Cannot load module /usr/lib/pango/1.6.0/modules/pango-thai-lang.so: 
libthai.so.0: cannot open shared object file: No such file or directory
/usr/lib/pango/1.6.0/modules/pango-thai-lang.so does not export Pango 
module API
[33/40] Installing linux-f10-tiff-3.8.2: 100%
[34/40] Installing linux-f10-atk-1.24.0_1: 100%
[35/40] Installing gtk3-3.8.8_1: 100%
[36/40] Installing libsmi-0.4.8_1: 100%
[37/40] Installing adns-1.4_2: 100%
[38/40] Installing wireshark-1.12.1: 100%
[39/40] Installing linux-f10-gtk2-2.14.7_5: 100%

(process:4918): GLib-WARNING **: getpwuid_r(): failed due to unknown 
user id (0)
[40/40] Installing tcpdump-4.5.1: 100%
  whew !!!! that took (32.335 cpu + 6.306 sys) sec., 3:09.91 elapsed 
time tot, 20.3% CPU efficiency
         (203 text, 2490 data, 78192 max) KB, (2013+4325) io, 241 pfs + 
0 swaps
[root at kabini1, /etc, 8:24:51am] 700 %

i.e. either wireshark or tcpdump (or 1 of their dependencies) required 
linux compatibility packages. Unfortunately it installed linux-f10 
(which I have manually deleted a couple of times now) & deleted 
linux-c6, the newer & preferred (AKAIK) packages :-/. I have posted on 
this problem earlier & was infoirmed that FBSD is right mid-stroke on 
transitioning from linux-f10 to linux-c6 pkgs. I guess the wireshark 
and/or tcpdump maintainers need to be advised to switch to linux-c6 
instead of linux-f10 for whatever compatibility is required. If I 
manually delete the linux-f10 stuff & reinstall the linux-c6 stuff, do 
you think wireshark/tcpdump will notice the difference ? I will probably 
do that anyway & try it, but I would like any advice or wisdom on that 
matter. Thx & I am off to experiment ....

-- 

	William A. Mahaffey III

  ----------------------------------------------------------------------

	"The M1 Garand is without doubt the finest implement of war
	 ever devised by man."
                            -- Gen. George S. Patton Jr.

More information about the freebsd-questions mailing list