oddball syslog entries ....

William A. Mahaffey III wam at hiwaay.net
Wed Oct 8 14:49:06 UTC 2014 

On 10/08/14 09:15, Kurt Buff wrote:
> On Wed, Oct 8, 2014 at 6:34 AM, William A. Mahaffey III <wam at hiwaay.net> wrote:
>> On 10/07/14 23:11, Kurt Buff wrote:
>>> edited the message for clarity...
>>>
>>> On Tue, Oct 7, 2014 at 8:15 PM, William A. Mahaffey III <wam at hiwaay.net>
>>> wrote:
>>>> On 10/07/14 22:01, Kurt Buff wrote:
>>>>> On Tue, Oct 7, 2014 at 8:01 PM, William A. Mahaffey III <wam at hiwaay.net>
>>>>> wrote:
>>>>>>
>>>>>> Over the last couple of days I am seeing some odd (to me) entries in my
>>>>>> messages file:
>>>>>>
>>>>>>
>>> <snipppety>
>>>
>>>>>> Oct  7 15:03:22 kabini1 kernel: Limiting closed port RST response from
>>>>>> 295
>>>>>> to 200 packets/sec
>>>>>> Oct  7 15:03:24 kabini1 kernel: Limiting closed port RST response from
>>>>>> 324
>>>>>> to 200 packets/sec
>>>>>>
>>>>>> The stuff from Oct 2 is irrelevant, included for completeness/context.
>>>>>> The
>>>>>> lines about 'Limiting closed port ....' are puzzling to me. Where are
>>>>>> they
>>>>>> coming from ? Problem or chatter ? Enquiring minds wanna know ;-) ....
>>>>>> TIA
>>>>>> for any clues ....
>>>>>>
>>>>> AFAICT, someone is banging on your machine.
>>>>>
>>>>> What's your network environment look like? Are you directly connected
>>>>> to the Internet, on a corporate network, or is this a home machine
>>>>> behind a router/firewall?
>>>>>
>>>>> Kurt
>>>>>
>>> <snippety>
>>>
>>>> SOHO, behind a 2-bit firewall device. I used to have a IPCop box, but it
>>>> croaked a while back. I have a fair amount of firewalling active on this
>>>> box, derived from the stock ipfw file, w/ a few mods for NFS, & that's
>>>> it. I
>>>> am seeing nothing on other boxen on my LAN, FWIW .... Suggested course of
>>>> action ?
>>> I'd approach this with tcpdump, and wireshark.
>>>
>>> Assuming you have only one NIC (em0) on this machine, I'd set up
>>> something like this as root in a separate terminal/ssh session:
>>>
>>>      tcpdump -npi em0 -C 1 -w /root/dumps/banger.pcap -W 100
>>>
>>> This sets up a ring buffer where you'll get a maximum of 100 files of
>>> 1,000,000 bytes each.
>>>
>>> Then, when you note those odd messages again, you'll be able to stop
>>> the capture and correlate the time stamps of the messages and the
>>> tcpdump capture files. Examining the capture files with wireshark
>>> should make offending address(es) and/or port(s) stand out like a sore
>>> thumb.
>>>
>>> Kurt
>>>
>> Hmmmmm .... OK. I had neither wireshark or tcpdump installed, so I did a pkg
>> install as such, which begat another problem:
> <snip>
>
>> i.e. either wireshark or tcpdump (or 1 of their dependencies) required linux
>> compatibility packages. Unfortunately it installed linux-f10 (which I have
>> manually deleted a couple of times now) & deleted linux-c6, the newer &
>> preferred (AKAIK) packages :-/. I have posted on this problem earlier & was
>> infoirmed that FBSD is right mid-stroke on transitioning from linux-f10 to
>> linux-c6 pkgs. I guess the wireshark and/or tcpdump maintainers need to be
>> advised to switch to linux-c6 instead of linux-f10 for whatever
>> compatibility is required. If I manually delete the linux-f10 stuff &
>> reinstall the linux-c6 stuff, do you think wireshark/tcpdump will notice the
>> difference ? I will probably do that anyway & try it, but I would like any
>> advice or wisdom on that matter. Thx & I am off to experiment ....
>
> No particular advice, except that tcpdump is native - no need to install that.
>
> However, Wireshark is so invaluable to me that I'd rather have that
> than most other software - but that's just my preference as a sysadmin
> using FreeBSD as an adjunct on the job where Windows predominates.
>
> OTOH, once you have the packet captures provided by tcpdump, they can
> be moved/copied to another machine for analysis, if you happen to have
> one. I often do this so that my FreeBSD machines can be freed to do
> their normal monitoring tasks.
>
> Kurt
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>

tcpdump was not installed by default (this is a desktop box, not a 
server, maybe the diff) .... In any event, I redressed the 
linux-f10/linux-c6 situation & so far, no issues .... yippee :-) !!!!

-- 

	William A. Mahaffey III

  ----------------------------------------------------------------------

	"The M1 Garand is without doubt the finest implement of war
	 ever devised by man."
                            -- Gen. George S. Patton Jr.

More information about the freebsd-questions mailing list