On Fri, Jul 6, 2012 at 10:29 AM, Anne Wilson <[log in to unmask]> wrote: > On 06/07/12 14:08, Mark Stodola wrote: >> On 07/06/2012 04:06 AM, Anne Wilson wrote: Logwatch on my laptop >> tells me >> >> Listed by source hosts: Dropped 30 packets on interface eth0 From >> 192.168.0.40 - 30 packets to tcp(38575) >> >> 192.168.0.40 is a mail/file/print server running SL. It may also >> be relevant that the laptop has fstab mounts to data areas on the >> server. >> >> I feel that there must be some way I can trace what is actually >> sending those packets, so that I can make an assessment, but I've >> no idea how/where to look. I see that it's an unallocated >> address, so I've no pointer at all. >> >> Where should I start looking? >> >> Anne >> >> If the connection is still active, you can use a combination of >> 'netstat -na' and/or 'lsof -nP -i4' to find the process owning the >> connection. If it isn't, it will be difficult to track down >> without fancier logging/capturing tools. You mentioned remote >> mounts, but not what method (CIFS, NFS, etc). If it is NFS, >> pseudo-random ports are chosen for the client connections and may >> be your culprit. >> > It is indeed NFS. The logs show ~6 of these high-number allocated > ports listening, so you could well be right. Is there any way to > confirm that? I have several nfs mounts in fstab. One for each mount > probably explains it. If it's ifs, you can set the ports to known values through "/etc/sysconfig/nfs" and then see whether it's one of these ports that's used.