Source of closed port RST responses
David Horn
dhorn2000 at gmail.com
Sun Dec 20 22:31:43 UTC 2009
On Sun, Dec 20, 2009 at 2:37 PM, DAve <dave.list at pixelhammer.com> wrote:
> I am routinely seeing these entries in one of my servers logs.
>
> Limiting closed port RST response from 373 to 200 packets/sec
>
> The server sits behind a PIX firewall, so I am suspicious of what is
> trying to connect to a closed port. I don't see in any other logs what
> port is being hit, or what IP is causing these log entries.
>
> Any way to tell what the source IP of these is?
>
>
Try using tcpdump. You can redirect the decoded output to a log file as
well. Make sure to replace "em0" in my example with the appropriate
interface name. If the server is very busy, try just running it for a short
period of time to make sure that it does not interrupt operations, then
leave it running for whatever time period you want to monitor if all goes
well.
tcpdump -np -i em0 'tcp[13] & 4 != 0'
The 'tcp[13] & 4 !=0' will cause the filter to only capture packets with the
tcp flag RST set.
man tcpdump
or google for more examples of filters.
Good Luck.
---Dave Horn
More information about the freebsd-questions
mailing list