 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Fri, 6 Jul 2012 09:39:05 -0500 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
On 07/06/2012 09:29 AM, Anne Wilson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 06/07/12 14:08, Mark Stodola wrote:
>> On 07/06/2012 04:06 AM, Anne Wilson wrote: Logwatch on my laptop
>> tells me
>>
>> Listed by source hosts: Dropped 30 packets on interface eth0 From
>> 192.168.0.40 - 30 packets to tcp(38575)
>>
>> 192.168.0.40 is a mail/file/print server running SL. It may also
>> be relevant that the laptop has fstab mounts to data areas on the
>> server.
>>
>> I feel that there must be some way I can trace what is actually
>> sending those packets, so that I can make an assessment, but I've
>> no idea how/where to look. I see that it's an unallocated
>> address, so I've no pointer at all.
>>
>> Where should I start looking?
>>
>> Anne
>>
>> If the connection is still active, you can use a combination of
>> 'netstat -na' and/or 'lsof -nP -i4' to find the process owning the
>> connection. If it isn't, it will be difficult to track down
>> without fancier logging/capturing tools. You mentioned remote
>> mounts, but not what method (CIFS, NFS, etc). If it is NFS,
>> pseudo-random ports are chosen for the client connections and may
>> be your culprit.
>>
> It is indeed NFS. The logs show ~6 of these high-number allocated
> ports listening, so you could well be right. Is there any way to
> confirm that? I have several nfs mounts in fstab. One for each mount
> probably explains it.
>
> netstat -na | grep 38575 tells me that it is listening:
>
> on the laptop:
> tcp 0 0 0.0.0.0:38575 0.0.0.0:*
> LISTEN
>
> but doesn't give me any clue as to what it hears :-)
>
> On the server, lsof -nP -i4 doesn't show anything that I can identify
> as the culprit. Most of the tcp activity comes from either rpc.statd
> and related files of dovecot IMAP. Mail is checked every 5 minutes
> during working hours, so if it is that, I would expect to see more
> consistent drops.
>
> What do you think? Am I making false assumptions?
>
> Anne
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk/29mUACgkQj93fyh4cnBcqiwCgi5+O73h4f8GDG/geFSrhgNk/
> hcUAniqupT8kIhfZ339okypDaVvrR49T
> =gGsJ
> -----END PGP SIGNATURE-----
Check with lsof on the laptop what process is listening on that port. A
LISTEN means that it is waiting for a connection, but nothing is
actually actively communicating via that port. The 0.0.0.0 means it is
listening on all interfaces/IP ranges.
--
Mr. Mark V. Stodola
Senior Control Systems Engineer
National Electrostatics Corp.
P.O. Box 620310
Middleton, WI 53562-0310 USA
Phone: (608) 831-7600
Fax: (608) 831-9591
|
|
|
