Re: [mhvlug] Troubleshooting connection loss

Allen Weiner Wed, 12 Dec 2007 20:27:14 -0800

On Wed, 2007-12-12 at 22:25 -0500, Chris Knadle wrote:


> 
> >
> 
>    Hmm.  So you're saying there's a direct link between TCP packets on port 
> 80 
> and UDP packets on port 137.  Think about that for a minute.
> 
>    It doesn't make sense.  I don't doubt that you're seeing this behavior, 
> but 
> there's no simple way to explain it.

Here's a sample of the Firestarter report of "serious events". It shows
the one-to-one correspondence that wasn't apparent in /var/log/messages:

Time:Dec 12 23:02:49 Direction: Inbound In:eth0 Out: Port:137
Source:192.168.1.1 Destination:192.168.1.150 Length:78 TOS:0x00
Protocol:UDP Service:Samba (SMB)
Time:Dec 12 23:03:06 Direction: Inbound In:eth0 Out: Port:80
Source:192.168.1.1 Destination:192.168.1.150 Length:60 TOS:0x00
Protocol:TCP Service:HTTP
Time:Dec 12 23:03:39 Direction: Inbound In:eth0 Out: Port:137
Source:192.168.1.1 Destination:192.168.1.150 Length:78 TOS:0x00
Protocol:UDP Service:Samba (SMB)
Time:Dec 12 23:03:53 Direction: Inbound In:eth0 Out: Port:80
Source:192.168.1.1 Destination:192.168.1.150 Length:60 TOS:0x00
Protocol:TCP Service:HTTP
Time:Dec 12 23:04:23 Direction: Inbound In:eth0 Out: Port:137
Source:192.168.1.1 Destination:192.168.1.150 Length:78 TOS:0x00
Protocol:UDP Service:Samba (SMB)
Time:Dec 12 23:04:41 Direction: Inbound In:eth0 Out: Port:80
Source:192.168.1.1 Destination:192.168.1.150 Length:60 TOS:0x00
Protocol:TCP Service:HTTP
Time:Dec 12 23:05:11 Direction: Inbound In:eth0 Out: Port:137
Source:192.168.1.1 Destination:192.168.1.150 Length:78 TOS:0x00
Protocol:UDP Service:Samba (SMB)
Time:Dec 12 23:05:29 Direction: Inbound In:eth0 Out: Port:80
Source:192.168.1.1 Destination:192.168.1.150 Length:60 TOS:0x00
Protocol:TCP Service:HTTP
Time:Dec 12 23:05:59 Direction: Inbound In:eth0 Out: Port:137
Source:192.168.1.1 Destination:192.168.1.150 Length:78 TOS:0x00
Protocol:UDP Service:Samba (SMB)
Time:Dec 12 23:06:17 Direction: Inbound In:eth0 Out: Port:80
Source:192.168.1.1 Destination:192.168.1.150 Length:60 TOS:0x00
Protocol:TCP Service:HTTP
Time:Dec 12 23:06:47 Direction: Inbound In:eth0 Out: Port:137
Source:192.168.1.1 Destination:192.168.1.150 Length:78 TOS:0x00
Protocol:UDP Service:Samba (SMB)
Time:Dec 12 23:07:05 Direction: Inbound In:eth0 Out: Port:80
Source:192.168.1.1 Destination:192.168.1.150 Length:60 TOS:0x00
Protocol:TCP Service:HTTP
Time:Dec 12 23:07:35 Direction: Inbound In:eth0 Out: Port:137
Source:192.168.1.1 Destination:192.168.1.150 Length:78 TOS:0x00
Protocol:UDP Service:Samba (SMB)
Time:Dec 12 23:07:52 Direction: Inbound In:eth0 Out: Port:80
Source:192.168.1.1 Destination:192.168.1.150 Length:60 TOS:0x00
Protocol:TCP Service:HTTP
Time:Dec 12 23:08:22 Direction: Inbound In:eth0 Out: Port:137
Source:192.168.1.1 Destination:192.168.1.150 Length:78 TOS:0x00
Protocol:UDP Service:Samba (SMB)
Time:Dec 12 23:08:40 Direction: Inbound In:eth0 Out: Port:80
Source:192.168.1.1 Destination:192.168.1.150 Length:60 TOS:0x00
Protocol:TCP Service:HTTP
Time:Dec 12 23:09:10 Direction: Inbound In:eth0 Out: Port:137
Source:192.168.1.1 Destination:192.168.1.150 Length:78 TOS:0x00
Protocol:UDP Service:Samba (SMB)

and here is another sample from /var/log/messages

=== grep eth0 /var/log/messages | tail -10 ===
Dec 12 23:14:48 alweiner kernel: Inbound IN=eth0 OUT=
MAC=00:07:e9:01:b2:09:00:18:3a:53:f7:fb:08:00 SRC=192.168.1.1
DST=192.168.1.150 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=13574 PROTO=UDP
SPT=137 DPT=137 LEN=58 
Dec 12 23:15:02 alweiner kernel: Inbound IN=eth0 OUT=
MAC=00:07:e9:01:b2:09:00:18:3a:53:f7:fb:08:00 SRC=192.168.1.1
DST=192.168.1.150 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13586 DF PROTO=TCP
SPT=1720 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
Dec 12 23:15:07 alweiner kernel: Inbound IN=eth0 OUT=
MAC=00:07:e9:01:b2:09:00:18:3a:53:f7:fb:08:00 SRC=192.168.1.1
DST=192.168.1.150 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13587 DF PROTO=TCP
SPT=1720 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
Dec 12 23:15:31 alweiner kernel: Inbound IN=eth0 OUT=
MAC=00:07:e9:01:b2:09:00:18:3a:53:f7:fb:08:00 SRC=192.168.1.1
DST=192.168.1.150 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13588 DF PROTO=TCP
SPT=1720 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
Dec 12 23:15:32 alweiner kernel: Inbound IN=eth0 OUT=
MAC=00:07:e9:01:b2:09:00:18:3a:53:f7:fb:08:00 SRC=192.168.1.1
DST=192.168.1.150 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=13589 PROTO=UDP
SPT=137 DPT=137 LEN=58 
Dec 12 23:15:33 alweiner kernel: Inbound IN=eth0 OUT=
MAC=00:07:e9:01:b2:09:00:18:3a:53:f7:fb:08:00 SRC=192.168.1.1
DST=192.168.1.150 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=13590 PROTO=UDP
SPT=137 DPT=137 LEN=58 
Dec 12 23:15:34 alweiner kernel: Inbound IN=eth0 OUT=
MAC=00:07:e9:01:b2:09:00:18:3a:53:f7:fb:08:00 SRC=192.168.1.1
DST=192.168.1.150 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=13591 PROTO=UDP
SPT=137 DPT=137 LEN=58 
Dec 12 23:15:35 alweiner kernel: Inbound IN=eth0 OUT=
MAC=00:07:e9:01:b2:09:00:18:3a:53:f7:fb:08:00 SRC=192.168.1.1
DST=192.168.1.150 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=13592 PROTO=UDP
SPT=137 DPT=137 LEN=58 
Dec 12 23:15:36 alweiner kernel: Inbound IN=eth0 OUT=
MAC=00:07:e9:01:b2:09:00:18:3a:53:f7:fb:08:00 SRC=192.168.1.1
DST=192.168.1.150 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=13593 PROTO=UDP
SPT=137 DPT=137 LEN=58 
Dec 12 23:15:50 alweiner kernel: Inbound IN=eth0 OUT=
MAC=00:07:e9:01:b2:09:00:18:3a:53:f7:fb:08:00 SRC=192.168.1.1
DST=192.168.1.150 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13605 DF PROTO=TCP
SPT=1721 DPT=80 WINDOW=8192 RES=0x00 SYN URGP


> 
> > I now have a hardcopy of the script which implements "service network
> > start/stop/restart". The networking scripts are easier to decipher from
> > hardcopy than from the screen. (I own an inkjet printer, a gift from a
> > friend, but I never bought cartridges for it.). "service network stop"
> > invokes ifdown-eth. I have the hardcopy for ifdown-eth. I can understand
> > the Bash, but I don't understand what the code is doing.
> 
>    I'm assuming you mean that certain external programs are called and that 
> you don't know what those do.
>    
ifdown-eth tests for a lot of what appears to be special cases: 1.
BRIDGE  2. SLAVE 3. REALDEVICE. I don't see anything in the script that
looks like the primary function or the main body.
> 
>    -- Chris   
> 
> _______________________________________________
> Mid-Hudson Valley Linux Users Group                  http://mhvlug.org        
>      
> http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug                           
> Upcoming Meetings (6pm - 8pm)                         MHVLS Auditorium        
>                                 
>   Dec 5 - Open Source Show and Tell
>   Jan 2 - TBD
>   Feb 6 - DBUS
>   Mar 5 - Setting up a platform-independent home/small office network using 
> Linux

_______________________________________________
Mid-Hudson Valley Linux Users Group                  http://mhvlug.org          
   
http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug                           
Upcoming Meetings (6pm - 8pm)                         MHVLS Auditorium          
                              
  Dec 5 - Open Source Show and Tell
  Jan 2 - TBD
  Feb 6 - DBUS
  Mar 5 - Setting up a platform-independent home/small office network using 
Linux

Re: [mhvlug] Troubleshooting connection loss

Reply via email to