oddball syslog entries ....
Kurt Buff
kurt.buff at gmail.com
Wed Oct 8 14:15:07 UTC 2014
On Wed, Oct 8, 2014 at 6:34 AM, William A. Mahaffey III <wam at hiwaay.net> wrote:
> On 10/07/14 23:11, Kurt Buff wrote:
>>
>> edited the message for clarity...
>>
>> On Tue, Oct 7, 2014 at 8:15 PM, William A. Mahaffey III <wam at hiwaay.net>
>> wrote:
>>>
>>> On 10/07/14 22:01, Kurt Buff wrote:
>>>>
>>>> On Tue, Oct 7, 2014 at 8:01 PM, William A. Mahaffey III <wam at hiwaay.net>
>>>> wrote:
>>>>>
>>>>>
>>>>> Over the last couple of days I am seeing some odd (to me) entries in my
>>>>> messages file:
>>>>>
>>>>>
>> <snipppety>
>>
>>>>> Oct 7 15:03:22 kabini1 kernel: Limiting closed port RST response from
>>>>> 295
>>>>> to 200 packets/sec
>>>>> Oct 7 15:03:24 kabini1 kernel: Limiting closed port RST response from
>>>>> 324
>>>>> to 200 packets/sec
>>>>>
>>>>> The stuff from Oct 2 is irrelevant, included for completeness/context.
>>>>> The
>>>>> lines about 'Limiting closed port ....' are puzzling to me. Where are
>>>>> they
>>>>> coming from ? Problem or chatter ? Enquiring minds wanna know ;-) ....
>>>>> TIA
>>>>> for any clues ....
>>>>>
>>>> AFAICT, someone is banging on your machine.
>>>>
>>>> What's your network environment look like? Are you directly connected
>>>> to the Internet, on a corporate network, or is this a home machine
>>>> behind a router/firewall?
>>>>
>>>> Kurt
>>>>
>> <snippety>
>>
>>> SOHO, behind a 2-bit firewall device. I used to have a IPCop box, but it
>>> croaked a while back. I have a fair amount of firewalling active on this
>>> box, derived from the stock ipfw file, w/ a few mods for NFS, & that's
>>> it. I
>>> am seeing nothing on other boxen on my LAN, FWIW .... Suggested course of
>>> action ?
>>
>> I'd approach this with tcpdump, and wireshark.
>>
>> Assuming you have only one NIC (em0) on this machine, I'd set up
>> something like this as root in a separate terminal/ssh session:
>>
>> tcpdump -npi em0 -C 1 -w /root/dumps/banger.pcap -W 100
>>
>> This sets up a ring buffer where you'll get a maximum of 100 files of
>> 1,000,000 bytes each.
>>
>> Then, when you note those odd messages again, you'll be able to stop
>> the capture and correlate the time stamps of the messages and the
>> tcpdump capture files. Examining the capture files with wireshark
>> should make offending address(es) and/or port(s) stand out like a sore
>> thumb.
>>
>> Kurt
>>
>
> Hmmmmm .... OK. I had neither wireshark or tcpdump installed, so I did a pkg
> install as such, which begat another problem:
<snip>
> i.e. either wireshark or tcpdump (or 1 of their dependencies) required linux
> compatibility packages. Unfortunately it installed linux-f10 (which I have
> manually deleted a couple of times now) & deleted linux-c6, the newer &
> preferred (AKAIK) packages :-/. I have posted on this problem earlier & was
> infoirmed that FBSD is right mid-stroke on transitioning from linux-f10 to
> linux-c6 pkgs. I guess the wireshark and/or tcpdump maintainers need to be
> advised to switch to linux-c6 instead of linux-f10 for whatever
> compatibility is required. If I manually delete the linux-f10 stuff &
> reinstall the linux-c6 stuff, do you think wireshark/tcpdump will notice the
> difference ? I will probably do that anyway & try it, but I would like any
> advice or wisdom on that matter. Thx & I am off to experiment ....
No particular advice, except that tcpdump is native - no need to install that.
However, Wireshark is so invaluable to me that I'd rather have that
than most other software - but that's just my preference as a sysadmin
using FreeBSD as an adjunct on the job where Windows predominates.
OTOH, once you have the packet captures provided by tcpdump, they can
be moved/copied to another machine for analysis, if you happen to have
one. I often do this so that my FreeBSD machines can be freed to do
their normal monitoring tasks.
Kurt
More information about the freebsd-questions
mailing list