Linux-Networking Digest #924, Volume #9 Mon, 18 Jan 99 15:13:55 EST
Contents:
Update, Revenge of NT (Jason A Fletcher)
Re: Security hole with WU-FTPD (mumford)
WEB search engine ([EMAIL PROTECTED])
Re: running smtp server and pop3 server on same machine ? (Joerg Klaas)
Which processes listen on which ports ? (Joerg Klaas)
Re: Security hole with WU-FTPD (John Girash)
module net-pf-4 errors (Luca Colombi)
delays when using dns (Serial # 0)
Re: Routing problems ... (Chris)
diald/ppp problems ("Tim Underwood")
Re: What is pppd doing to my poor modem? ("Stu")
Re: Configuring PPP server for IPX ("Stu")
Local networking between Linux machines ([EMAIL PROTECTED])
Re: dhcpd problems - would appreciate your insight (Chris)
Re: Samba Troubles (Benjohn007)
FTP slowing down PPP (Jerome De Greef)
Re: This is Linux, not Windows, so why not superior flexibility AND idiot-friendly?
(Stephen R. Savitzky)
Re: Security hole with WU-FTPD (Daryle Niedermayer)
Re: Need help with diagnosing a network problem ("Jay D Ribak")
----------------------------------------------------------------------------
From: Jason A Fletcher <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.setup
Subject: Update, Revenge of NT
Date: Mon, 18 Jan 1999 11:08:34 -0500
> Thanks already for the suggestions I've gotten on this forum!
Update: I have an Aha! (maybe.) First, re L J Bayuk's advice I tried
pinging and telnetting via IP addresses. I could do that on my machine but
no others (not even the UNIX sitting on my desk.) Thus, it looks like my
loopback IP is all right and perhaps my outgoing configurations, but I
still have no network access.
Re Paul's advice (I haven't tried SuprMath's advice yet), I checked the
hardware settings with ifconfig. My hardware settings were fine; I wasn't
getting nailed with the notorious FFFF problem this time. (I unplugged,
waited, and rebooted anyway to make sure.) Now for the Aha: after trying to
ping out to Yahoo and getting no reply, I checked the LEDs on the card.
NONE were lit!!
This changes the problem a little bit. Conceivably, I suppose, my hardware
(card or cable) might have been damaged in the uninstall/reinstall (again,
revenge of NT). Or, perhaps the power resource management isn't sending
juice to the card. Or maybe the driver is old or bad or corrupted and
simply cannot recognize it. Or perhaps there is a little demon gleefully
cackling and rubbing his hands together in delight as he scrambles my card.
I'm not ruling anything out at this point.
Any ideas? Do any of the above sound plausible? Do you know of something
else that might cause/fix this? I'd love to hear responses; until then, I
think I will do a little research into how to recompile a kernel...
Thanks,
Jason Fletcher
------------------------------
Crossposted-To: comp.security.unix,redhat.networking.general,aus.computers.linux
From: [EMAIL PROTECTED] (mumford)
Subject: Re: Security hole with WU-FTPD
Date: Mon, 18 Jan 1999 17:26:41 GMT
A while ago, Bill Unruh<[EMAIL PROTECTED]> begot:
>In <[EMAIL PROTECTED]> [EMAIL PROTECTED] (M. Buchenrieder) writes:
>>and manually edit the /etc/passwd file to have an entry with an empty
>>password string and no corresponding entry in /etc/shadow, then you'll
>>always be able to login without password. Try it. Add a user manually
>>and login. I just tested it on a SuSE 5.3 system, using login.c v. 1.4 .
>>Using an FTP account to actually access the system is just a way to hide
>>the intruder(s) from the eyes of the sysadmin. But the damage is already
>>done.
>
>His comment is that while login does not allow a remote root login with no
>password, ftp does allow a root login with no password. This is what he
>is calling the bug in ftpd. It certainly is an inconsistancy between
>the two.
>
>It is also true that this bug is minor compared to the bug which allowed
>a root user to be entered into passwd without a password.
In a way it is an inconsistancy, but in another way it isn't. The linux
login program has been hacked (if you will) to pay attention to a file
called /etc/securetty (may vary from dstrib to distrib). Wu-ftpd could
not care less about this file, since ftp doesn't open a tty.
It's not a bug, it's a feature. :)
--
Glenn Lamb - [EMAIL PROTECTED] Finger for my PGP Key.
Email to me must have my address in either the To: or Cc: field. All other
mail will be bounced automatically as spam.
PGPprint = E3 0F DE CC 94 72 D1 1A 2D 2E A9 08 6B A0 CD 82
------------------------------
From: [EMAIL PROTECTED]
Subject: WEB search engine
Date: Mon, 18 Jan 1999 16:25:34 GMT
Hi,
Does somebody know if there is a WEB search engine for LINUX?
We are now using a WEB search engine on M$-NT 4.0 for indexing all sites
referring to one country, El Salvador. Because of the software prices we
are looking for an alternative...
Thanks for any hints,
Ernesto
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Joerg Klaas <[EMAIL PROTECTED]>
Crossposted-To: comp.mail.misc,comp.unix.questions
Subject: Re: running smtp server and pop3 server on same machine ?
Date: Mon, 18 Jan 1999 12:31:37 +0100
Well, actually this is the default configuration of nearly all linux (if
not all Unix variations) distributions.
There's nothing special to take care of.
SMTP and POP3 do not really interact directly with eachother.
POP3 is only beeing used by clients to read mails, while SMTP is usually
only used for sending post, as well as for general server to server mail
transfers.
Joerg
e-account wrote:
> Hello,
>
> Is it possible to run both smtp and pop3 servers on the same machine?
> If so, are they able to transfer mail from the one to the other?
> We seem to have some problem to implement it.
>
> Feel free to comment.
>
> Thanks
------------------------------
From: Joerg Klaas <[EMAIL PROTECTED]>
Subject: Which processes listen on which ports ?
Date: Mon, 18 Jan 1999 07:28:12 +0100
Does anyone know an easy way to find out, which processes are listening
on which port ?
I'm thinking about a combination of "netstat -na" and "ps -xla".
If my problem is still not clear:
"netstat" gives me a list of open/possible connections.
"ps -xa" gives me a list of processes
How can I link this two outputs together ?
Thanks, Joerg.
------------------------------
From: John Girash <[EMAIL PROTECTED]>
Crossposted-To:
comp.security,comp.security.unix,redhat.general,redhat.networking.general,aus.computers.linux
Subject: Re: Security hole with WU-FTPD
Date: 18 Jan 1999 18:20:34 GMT
In comp.security.unix Daryle Niedermayer <[EMAIL PROTECTED]> wrote:
: This is a multi-part message in MIME format.
blah.
: I would rebut this statement by saying that NO software package should be
: content
: with being the weakest link (or a weak link) in the security system. The fact
: that WU-ftp allows an exploitation that the login package will not permit and
: that WU-ftp handles security in a method opposite to the manner in which the
: login process manages security makes it a dangerous package.
You seem to be assuming that (a) there is/should-be tight coordination
between how the different "packages" (as you call them) implement password-
based security, and (b) that "login" is/should-be the reference for all
others. I don't see why either should be the case; they're different
services each of which stands on its own. (Plase correct me if I'm wrong).
And the "NO software package should be content..." line is just plain silly.
The absolute security of a service is far more important than the relative.
(i.e. you need to look at the vulnerabilities of each individually, and not
just say "well, service X is weaker than Y so I don't need to worry about Y".)
I'd also disagree that the wu-ftpd behaviour constitutes an "exploit" in this
case. In your opinion it may not be a desirable feature, but that don't make
it a bug. The fact that your system was broken (probably) wasn't ftpd's fault.
followsup culled to something more reasonable
jg
--
"don't listen when you're told / about the best days in your life : Spirit of
a useless old expression, it means / passing time until you die." : the West
-----------------------------------------------------------------------------
-- John Girash --- [EMAIL PROTECTED] --- http://skyron.harvard.edu/ --
------------------------------
From: Luca Colombi <[EMAIL PROTECTED]>
Subject: module net-pf-4 errors
Date: Mon, 18 Jan 1999 18:26:23 +0000
I receive the following error messages during boot up.
modprobe: can't locate module net-pf-4
modprobe: can't locate module net-pf-5
Does anybody know what that means ?
--
Luca Colombi
System Administrator
The Hub Communications Co. Ltd.
The Farmhouse
Syon Park
Middlesex
TW8 8JF
Tel: +44(0)181 560 9222 Fax: +44(0)181 560 9333
E-mail: [EMAIL PROTECTED] URL: http://www.thehub.co.uk
------------------------------
From: [EMAIL PROTECTED] (Serial # 0)
Subject: delays when using dns
Date: Mon, 18 Jan 1999 18:13:08 GMT
I have a windows NT Server 4.0 that's running a dns server. I use
it for testing purposes only , and everything seems te work , I can
ping , do nslookups from both win & linux clients.
However , when the following is stated in the /etc/resolv.conf file
on the linux clients ,
domain crackworld.com <-- a zone created on my internal
network
nameserver 192.168.0.1 <-- IP of the NT4.0 server
it takes forever to start sendmail , smb services , httpd .....
Even telnetting to the linux client takes a very long time with this
resolv.conf file.
However , when I comment out those lines , everything runs smoothly ,
I can
telnet to the linux client , sendmail takes about a second to start ,
and I
have no problems , except for the fact that it isn't using dns.
Is there a way to have the client use dns , and to not have these
network delays
when starting sendmail , telnet ....
Thx
------------------------------
From: [EMAIL PROTECTED] (Chris)
Subject: Re: Routing problems ...
Date: Mon, 18 Jan 1999 18:38:57 GMT
On Mon, 11 Jan 1999 10:57:23 -0400, Daniel Tyrode <[EMAIL PROTECTED]>
wrote in comp.os.linux.networking:
>machine1:
>IP: 150.185.162.129
>NETMASK: 255.255.255.192
>IP network: 150.185.162.128
>Broadcast: 150.185.162.191
>machine2:
>IP: 150.185.162.193
>Netmask: 255.255.255.192
>IP network: 150.185.162.192
>Broadcast: 150.185.162.255
>machine3: ( router and gateway to the outside )
>IP: 150.185.162.29
>Netsmask: 255.255.255.128
>IP network: 150.185.162.0
>Broadcast: 150.185.162.127
>
>This last machine has three ethernet cards, one that goes to machine1
>another that goes to machine2 and a third one that goes to the principal
>gateway ( in this case a computer with an IP 150.185.162.1 ) that exits
>to the Internet.
Machine 3 would therefore have three IP addresses, with the one listed
representing the interface that connects to the router. What are the
other two?
>For some reason, machine1 and machine2 can get conected with each other
>through machine 3, and they can also get conected with machine3.
>Unfortunatelly I have been unable to establish conection from any
>machine1 or machine2 to the principal gateway (150.185.162.1) thus the
>outside, although machine3 has normal access to the outside.
The fact that machines one and two can talk means that you have most of
the hard stuff done. Your problem is probably confined to the firewall
rules and/or the route instructions. We need more information about your
server's configuration. The output of the following would help:
route -n
ipfwadm -l -I -n
ipfwadm -l -F -n
ipfwadm -l -O -n
------------------------------
From: "Tim Underwood" <[EMAIL PROTECTED]>
Subject: diald/ppp problems
Date: Mon, 18 Jan 1999 16:57:52 GMT
I am trying to use diald for on-demand dialing for a ppp connection to my
ISP.
ppp works, diald works, BUT
diald connects whenever I do a route command, netstat, netstat -r, etc.
Each of these commands 'hangs' until connected, then displays the
information. And then I'm connected. It also does this when loading X (I
know there is a patch for X, I haven't installed it yet - I'd really like to
avoid recompiling X if possible).
Why? How do I stop this behavior? I am using 'official blue box' RH 5.2
workstation install.
------------------------------
From: "Stu" <[EMAIL PROTECTED]>
Subject: Re: What is pppd doing to my poor modem?
Date: Mon, 18 Jan 1999 13:41:16 -0500
>Did you just plug the new modem and and things worked without any Linux
>configuration changes? If so then check such things as
Yea, My modem init string is AT&F1 I like to keep it simple. I'm sure
there's an AT command for it, and I was hoping if I knew what Linux was
doing at time of error, I could figure out what the appropriate AT command
string would be. Is it flow control? is it timing? I have no idea.
>Modem AT command set profile not configured for hardware flow control
>
>Mismatched UART for modem speed capability
How do I check this/ what does that mean?
>Bad cable/connector/connection
That I had checked.
Thanks for your information and ideas, I'll keep looking, but if you have
any more tips, I'd appreciate.
------------------------------
From: "Stu" <[EMAIL PROTECTED]>
Subject: Re: Configuring PPP server for IPX
Date: Mon, 18 Jan 1999 13:42:39 -0500
Whoops. Sorry. I sit corrected. (I'm more programmer than network engineer
:-)
------------------------------
From: [EMAIL PROTECTED]
Subject: Local networking between Linux machines
Date: Mon, 18 Jan 1999 17:46:57 GMT
Hello
I just started using Linux, and it is very good. But I
have a question, that I think it is more conceptual then
technical.
If I have 3 pcs with Linux, one is to be the "server", and
the other 2 are to be "client", how to set up users
and groups? I have to create all possible users in all
machines? In NT (I think, I am not expert) the Win95
pc looks for a list of users somewhere, and I can use my
username/password in any machine in the network. In
linux there is something like that? I have experience
with other unises, but there was always only one (or
more) server and the clients were dummy terminals
(there was no unix installed on them). Is there some
HowTo to make me understand the basics?
Thank you.
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (Chris)
Subject: Re: dhcpd problems - would appreciate your insight
Date: Mon, 18 Jan 1999 18:51:39 GMT
On Sun, 17 Jan 1999 22:15:10 GMT, [EMAIL PROTECTED] (Daddy Rabbit)
wrote in comp.os.linux.networking:
>No subnet declaration for eth0 (0.0.0.0)
When you start dhcpd, it automatically assumes you want to issue leases on
all known interfaces. This means it expects to find a valid address
assignment range for all visible networks. Your choices are to either
specify the inteface as part of the command line when starting the daemon
or include an empty range of addresses for each subnet you don't want to
serve.
Since your error message references an unconfigured interface (are you
using dhcpcd to get an address for a second ethernet card?), the easier
solution for you would be to specify the interface as part of the daemon
script(s). You can do the same thing with dhcpcd so that the two dhcp
services don't talk to each other.
------------------------------
From: [EMAIL PROTECTED] (Benjohn007)
Subject: Re: Samba Troubles
Date: 18 Jan 1999 15:37:17 GMT
I know the answer to the first part.
it is because NT SP 4 uses password encryption. you have to disable this in the
NT registry. there is a file included with the samba packages called *.reg
that'll do this for u. also check ur smb.conf file and look for the line that
talks about encryption
------------------------------
From: Jerome De Greef <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.misc,comp.os.linux.setup
Subject: FTP slowing down PPP
Date: Mon, 18 Jan 1999 16:36:01 +0100
Hi,
I've a strange problem using PPP 2.3.3 with RedHat 5.1 Kernel 2.0.36,
BocaModem 28.8, P90 48 Mb RAM.
Everything is working fine until I make download (via FTP, MC or
Netscape). Then, as soon as the file transfer begins (at 2.7 Kb/Sec,
seems OK for a 28.8 modem) , it seems it's using the whole bandwidth and
if I continue to browse, Netscape drops at less than 100 bytes/sec (I've
seen 7 bytes/sec one time :-( ).
I've played with MRU and MTU and using ping I have my response time
ranging from >5000 ms (MRU = 1500) to 800-1000 ms (MRU=296). I use
Asyncmap=0, crtscts, etc
Is it normal or am I missing something (should I say that I never had
this problem with Win95)?
Thanks for helping,
Jerome
------------------------------
From: [EMAIL PROTECTED] (Stephen R. Savitzky)
Crossposted-To:
comp.os.linux.misc,comp.os.linux.portable,comp.os.linux.powerpc,comp.os.linux.setup
Subject: Re: This is Linux, not Windows, so why not superior flexibility AND
idiot-friendly?
Date: 17 Jan 1999 10:12:59 -0800
[EMAIL PROTECTED] (Allan Olesen) writes:
> [EMAIL PROTECTED] wrote:
>
> >*CAN* you grep in windows?
>
> Sorry for my Linux ignorance. My experience with Linux is one week
> old, so I may have misunderstood the purpose of grep. Grep is the
> function that can search several files for a text string, right?
Command, not function, but basically yes. It can also search for
"regular expressions" -- that's the "re" part of the name. You can also
control case sensitivity, and so on. The following finds all instances
of "q" not followed by "u" in files with ".html" extensions.:
grep -i 'q[^u]' *.html
(Note that selecting the .html files is done by the shell, not by grep.)
> You can do that in W95 too. It is part of the standard built-in file
> search function, which can search for file names, sizes, dates and
> text strings. But it cannot replace text strings (don't know if Linux
> grep can), and it cannot be used from a prompt instead of GUI (suppose
> that Linux grep can).
All these functions are actually performed by the "find" command (in
combination with "grep" for text searching and "sed" or "perl" for
replacement). For example, I use the following little script for
computing line counts and displaying them graphically (using a program,
"xdu", originally designed for displaying disk usage):
find ${*-.} -type f ! -name '*~' ! -name '#*' ! -name '.#*' \
! -name '*.class' ! -name '*.o' ! -name '*.log' ! -name '*.zip' \
-exec wc -l {} \; \
| xdu -c 4 -name "Line Counts: $*" -geom +105+80
and this one for doing a global replace (replacing "aux" with "util") in
all files named "Repository".
find . -name "Repository" -exec perl -p -i -e 's@/aux/@/util/@' {} \;
(exactly _why_ I had to do that is left as an exercise for the reader.)
Bottom line: it is Unix's ability to _combine_ commands that makes it so
powerful.
--
/ Steve Savitzky \ 1997 Pegasus Award winner: best science song--+ \
/ <[EMAIL PROTECTED]> \ http://www.starport.com/people/steve/ V \
\ hacker/songwriter: \ http://www.starport.com/people/steve/Doc/Songs/
\_ Kids' page: MOVED ---> http://www.starport.com/places/forKids/ ______/
------------------------------
From: Daryle Niedermayer <[EMAIL PROTECTED]>
Crossposted-To:
comp.security,comp.security.unix,redhat.general,redhat.networking.general,aus.computers.linux
Subject: Re: Security hole with WU-FTPD
Date: Mon, 18 Jan 1999 09:13:57 -0600
This is a multi-part message in MIME format.
==============08B0B724785D1B96E44D0DDC
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
"M. Buchenrieder" wrote:
> Not "exploit" . It's called "stupidity".
>
> >By adding an entry to the bottom of the passwd file:
> >test::0:0:dummyname:/:/bin/bash
>
> >without a password marker, our login scripts will not let you login with
> >a
> >shell, but they will let you open an ftp connection with root
> >permissions.
First, thank you to all who responded to this thread.
Second, let me restate for the benefit of those (apart from Barry and a few
others) who skimmed over my earlier posting. that the exploit began with the
hacker adding an entry like this to the /etc/passwd file. I haven't yet figured
out how this exploit began but at the time we were running an NFS client
package on this Linux machine. It was installed unintentionally as part of the
Redhat 5.0 initial installation and was probably not configured properly. It
could be argued that allowing a machine to have software running that isn't
used or properly configured and monitored is stupid. I won't argue that point
but I won't necessarily agree with it either.
We DID NOT PUT THIS ENTRY IN THE /etc/passwd FILE. The hacker did. My knowledge
of NFS and NIS is not yet sufficient to know if this is the mechanism used or
if this is even a likely hypothesis to test. The /etc/passwd file had
permissions 0644. The hacker may have had access to a seldom used user-shell
account but this wouldn't have given him writable access to the /etc/passwd
file. In looking a little further, the vipw executable had permissions 0755.
(It has since been changed to 0500). But even then, trying to change the passwd
using vipw but not logged in as root results in the following error:
bob[1]% vipw
vipw: Couldn't lock file: Permission denied
vipw: /etc/passwd is unchanged
(with permissions of 755), but I like to look of:
bob[5]% vipw
/usr/sbin/vipw: Permission denied.
(with permissions 0500) better.
Still, this is another possible avenue for the first exploitation if the hacker
was able to obtain a file lock, then he would have suid capabilities for the
/etc/passwd file would he not?
I'm still at a loss to figure out how this first step of the exploitation was
accomplished.
About WU-FTP. Thanks Barry for restating my point with such clarity. IMHO,
WU-FTP should not be allowing openings that the shells deny. The hacker got to
our /etc/passwd file. That's the first line breached. Unless he can also edit
the /etc/shadow file, he can't telnet in and that file is perm 0400 and owned
by root. On our system you can't even use the root password to su to root
unless you also belong to the group root in the /etc/group file and the
/etc/group file is owned by root with perm 0644. So, even if someone could get
to the /etc/passwd file, they can't go much farther into getting shell access.
Enter WU-FTP which just seems to say: "No encrypted passwd entry? No problem!
Even though login won't accept a null password field in the /etc/passwd file, I
will! Come on in!" I agree that some sites need to have a guest account with no
passwd but that should be defined by the passwd field in the /etc/shadow file
and not the absence of a "x" marker in the /etc/passwd file's password field
(which it is for logins on systems running shadow utilities). It can be argued
(unconvincingly in my opinion) that there are other ways to secure a system. I
would rebut this statement by saying that NO software package should be content
with being the weakest link (or a weak link) in the security system. The fact
that WU-ftp allows an exploitation that the login package will not permit and
that WU-ftp handles security in a method opposite to the manner in which the
login process manages security makes it a dangerous package.
> You shot yourself into the foot. Setting up an FTP-only account
> with root permissions is as silly as displaying the root password
> at the login screen. Sheesh.
For the benefit of others who might have misread my earlier posting. We do not
have a root-only ftp account and users with the root passwd cannot login as
root apart from at the system's console. All users who need to use root
permissions must login as themselves and then su to root. This was not an
avenue for the first step in the exploitation.
For the benefit of others who offered advice on which ftpd to install, I'm
trying out the proftpd. It was easy to build. The configuration options are
rather complex but comprehensive (which is OK given the issues we have faced)
and it was very easy to build and install.
As to possible back-doors left by the hacker: We looked at all the logs and
file timestamps after the attack. We used the rpm verify option to verify all
files against their Redhat RPM source files (a nice utility), and replaced any
suspect packages. We improved our logging of suspicious activity and
uninstalled all NFS related packages.
--
********************************
Daryle Niedermayer
Programmer/Analyst
GDS & Associates Systems. Ltd.
400 - 4211 Albert St.
Regina, SK Canada -- S4S 3R6
Phone: 306.586.7832
Fax: 306.585.1514
email: [EMAIL PROTECTED]
http://www.gds.ca
********************************
==============08B0B724785D1B96E44D0DDC
Content-Type: text/x-vcard; charset=us-ascii;
name="dniederm.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Daryle Niedermayer
Content-Disposition: attachment;
filename="dniederm.vcf"
begin:vcard
n:Niedermayer;Daryle
x-mozilla-html:FALSE
org:GDS & Associates Systems Ltd.
adr:;;400 - 4211 Albert St.;Regina;SK;S4S 3R6;Canada
version:2.1
email;internet:[EMAIL PROTECTED]
title:Programmer/Analyst
tel;fax:306.585.1514
tel;work:306.586.7832
x-mozilla-cpt:;63424
fn:Daryle Niedermayer
end:vcard
==============08B0B724785D1B96E44D0DDC==
------------------------------
From: "Jay D Ribak" <[EMAIL PROTECTED]>
Subject: Re: Need help with diagnosing a network problem
Date: Mon, 18 Jan 1999 10:48:44 -0500
I know this is a little late, but I had been on vacation the past week. I
solved the problem--it is a bit long-winded, though. I replaced the hub
with a switch, but was still seeing collisions. The new switch, however,
had individual collision lights, so I could see where they were coming
from...they were coming from the uplink port! The short version of the
story is that the uplink port on the original switch was set to Full-duplex
and it was trying to communicate with a half-duplex hub, then a half-duplex
switch. I set my new switch to full duplex on that port and the problem
disappeared. I can't believe I didn't see that to begin with...
Thanks for the tips though
Jay R
Joerg Ammon wrote in message <[EMAIL PROTECTED]>...
>Hi Jay,
>
>in case you're planning to replace your hub by a switch - do that quick!
>Since a switch writes packet statistics on every port it's really no big
deal to
>
>identify a bad NIC (in case you have one!).
>
>From what I can see in your loggings it might as well be just a busy
>shared media ethernet!!!
>What applications have you got running?
>How many user accessing this segment?
>etc...
>
>Do a quick calculation AND change to a switch soon!
>
>The only proper way of identifying a bad hub port is shuffling the links to
free
>ports ;-(
>
>In case you've got some sort of packet sniffer (there is e.g. tcpdump) you
might
>as
>well get a hint of your problem on actual looking at the packets
themselves. If
>you see
>a large number of error frames you can then identify the host.
>
>Jay D Ribak wrote:
>
>> Hi,
>> I am having a bit of a network problem on my small network. I am not
>> sure where to go from here to troubleshoot the problem further.
Background:
>> 5 Linux PCs on a mini-hub, all running 10mbs ethernet. The hub is
uplinked
>> to a 10mbs switch, which is in turn connected to a Cisco router and a T1.
I
>> have noticed huge numbers of collisions lately on each system. When
>> looking at the hub, the collision LED is blinking at least once every two
>> seconds. Here are some stats from ifconfig on one of the boxes:
>>
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:62419179 errors:1984 dropped:1984 overruns:627
>> frame:1984
>> TX packets:63294738 errors:2 dropped:0 overruns:0
carrier:256644
>> coll:436889
>> Interrupt:10 Base address:0x300
>>
>> As you can see the number of collisions is quite large. This is now
slowing
>> down performance between the systems, and from the T1 into the servers
from
>> the outside world. I am not sure if I have a bad NIC somewhere, a bad
port
>> on the hub, or what. I also don't know how to figure that out from
here.
>> I have another 10mbs switch on order, and I plan on replacing the hub
with
>> the switch. From what I understand of switching technology this should
>> significantly lower or eliminate the collisions. I don't really like
the
>> idea of glossing over a potential problem with a NIC though. The
systems
>> are also high availability servers and so I can't just bring them down to
>> swap out NICs unless I have proof that one is indeed bad.
>>
>> What tools are there in Linux to allow me to analyze network traffic to
>> figure out which system is causing all of the collisions?
>>
>> Thanks
>> Jay R.
>
>
>
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
