On Fri, Jul 6, 2012 at 10:29 AM, Anne Wilson <[log in to unmask]> wrote:
> On 06/07/12 14:08, Mark Stodola wrote:
>> On 07/06/2012 04:06 AM, Anne Wilson wrote: Logwatch on my laptop
>> tells me
>>
>> Listed by source hosts: Dropped 30 packets on interface eth0 From
>> 192.168.0.40 - 30 packets to tcp(38575)
>>
>> 192.168.0.40 is a mail/file/print server running SL.  It may also
>> be relevant that the laptop has fstab mounts to data areas on the
>> server.
>>
>> I feel that there must be some way I can trace what is actually
>> sending those packets, so that I can make an assessment, but I've
>> no idea how/where to look.  I see that it's an unallocated
>> address, so I've no pointer at all.
>>
>> Where should I start looking?
>>
>> Anne
>>
>> If the connection is still active, you can use a combination of
>> 'netstat -na' and/or 'lsof -nP -i4' to find the process owning the
>> connection. If it isn't, it will be difficult to track down
>> without fancier logging/capturing tools.  You mentioned remote
>> mounts, but not what method (CIFS, NFS, etc).  If it is NFS,
>> pseudo-random ports are chosen for the client connections and may
>> be your culprit.
>>
> It is indeed NFS.  The logs show ~6 of these high-number allocated
> ports listening, so you could well be right.  Is there any way to
> confirm that?  I have several nfs mounts in fstab.  One for each mount
> probably explains it.

If it's ifs, you can set the ports to known values through
"/etc/sysconfig/nfs" and then see whether it's one of these ports
that's used.