On Fri, May 08, 2009 at 01:25:00PM -0700, Darren Reed wrote: > > If it reliably happens with a given port number (or pair), can I ask that > you use tcpdump to capture all of the packets for this and email me the > tcpdump capture file? > > What I'm suspecting is that a TCP connection is being reused and maybe > ipfilter doesn't handle that well. ucdavis...Chico?
That's precisely what I saw, with the NCP protocol (a PC with a new version of the Novell client trying to access Samba shares on Solaris). It was reusing port numbers, before ipf could purge the existing state entry. -- Eric Behr | NIU Mathematical Sciences | (815) 753 6727 [email protected] | http://www.math.niu.edu/~behr/ | fax: 753 1112
