Hostname lookups? (tcpdump output)
Florian Hengstberger
e0025265 at student.tuwien.ac.at
Thu Dec 30 09:23:54 PST 2004
Hi!
I'm currently keeping track off all packets comming from my ISP
using tcpdump. I have a limited transfer rate and I'm wondering why there's
still (around 100KB per min) traffic although I have no
network connections open to the outside world.
So netstat gives me:
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 lazarus.49201 hpat989.external.http TIME_WAIT
tcp4 0 0 lazarus.49199 66.102.9.104.http ESTABLISHED
tcp4 0 0 localhost.smtp *.* LISTEN
udp4 0 0 localhost.49158 localhost.ntp
udp4 0 0 localhost.ntp *.*
udp4 0 0 lazarus.ntp *.*
When I run tcpdump I get the following:
18:15:20.016995 arp who-has 62.116.56.99 tell 62.116.56.1
18:15:20.298713 lazarus.home.49562 > ns1.wwpa.com.domain: 46387+ PTR?
99.56.116.62.in-addr.arpa. (43)
18:15:20.347945 ns1.wwpa.com.domain > lazarus.home.49562: 46387 NXDomain*
0/0/0 (43)
18:15:20.348224 lazarus.home.49563 > ns1.wwpa.com.domain: 46388+ PTR?
1.56.116.62.in-addr.arpa. (42)
18:15:20.388817 ns1.wwpa.com.domain > lazarus.home.49563: 46388 NXDomain*
0/0/0 (42)
18:15:21.388378 lazarus.home.49564 > ns1.wwpa.com.domain: 46389+ PTR?
193.33.116.62.in-addr.arpa. (44)
18:15:21.400068 ns1.wwpa.com.domain > lazarus.home.49564: 46389 1/0/0 (70)
18:15:22.432207 arp who-has 62.116.56.98 tell 62.116.56.1
18:15:23.398410 lazarus.home.49565 > ns1.wwpa.com.domain: 46390+ PTR?
98.56.116.62.in-addr.arpa. (43)
18:15:23.456830 ns1.wwpa.com.domain > lazarus.home.49565: 46390 NXDomain*
0/0/0 (43)
18:15:25.191614 arp who-has 62.116.56.19 tell 62.116.56.1
18:15:25.386242 arp who-has 62.116.56.98 tell 62.116.56.1
18:15:25.448443 lazarus.home.49566 > ns1.wwpa.com.domain: 46391+ PTR?
19.56.116.62.in-addr.arpa. (43)
18:15:25.494756 ns1.wwpa.com.domain > lazarus.home.49566: 46391 NXDomain*
0/0/0 (43)
18:15:28.109842 arp who-has 62.116.56.19 tell 62.116.56.1
First question:
The arp-query seems to be ok and unavoidable, but what about
the connections to ns1.wwpa.com.domain?
Look like a reverese dns lookup to me or something?
Why is this, is this dangerous, how can I avoid this?
Why does the this connection not appear in netstat??
I use the standard client firewall, that's my /etc/rc.conf:
#setup the network
hostname="lazarus.home"
ifconfig_sis0="inet 62.116.56.107 netmask 255.255.255.128"
defaultrouter="62.116.56.1"
#ipv6_enable="YES"
#enable the standard firewall
firewall_enable="YES"
firewall_type="client"
firewall_quiet="NO"
firewall_logging="YES"
#enable services
sshd_enable="YES"
ntpd_enable="YES"
ntpd_flags="-c /etc/ntp.conf"
#system settings
keymap="german.iso"
#linux_enable="YES"
moused_enable="YES"
Secondly: I'm only running ntp and ssh (and mozilla), why is a socket
listening on the smtp port?
Thanks in advance
Florian
PS: Sorry for the output of netstat and tcpdump
More information about the freebsd-questions
mailing list