On 07/06/2012 09:29 AM, Anne Wilson wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/07/12 14:08, Mark Stodola wrote:
On 07/06/2012 04:06 AM, Anne Wilson wrote: Logwatch on my laptop
tells me
Listed by source hosts: Dropped 30 packets on interface eth0 From
192.168.0.40 - 30 packets to tcp(38575)
192.168.0.40 is a mail/file/print server running SL. It may also
be relevant that the laptop has fstab mounts to data areas on the
server.
I feel that there must be some way I can trace what is actually
sending those packets, so that I can make an assessment, but I've
no idea how/where to look. I see that it's an unallocated
address, so I've no pointer at all.
Where should I start looking?
Anne
If the connection is still active, you can use a combination of
'netstat -na' and/or 'lsof -nP -i4' to find the process owning the
connection. If it isn't, it will be difficult to track down
without fancier logging/capturing tools. You mentioned remote
mounts, but not what method (CIFS, NFS, etc). If it is NFS,
pseudo-random ports are chosen for the client connections and may
be your culprit.
It is indeed NFS. The logs show ~6 of these high-number allocated
ports listening, so you could well be right. Is there any way to
confirm that? I have several nfs mounts in fstab. One for each mount
probably explains it.
netstat -na | grep 38575 tells me that it is listening:
on the laptop:
tcp 0 0 0.0.0.0:38575 0.0.0.0:*
LISTEN
but doesn't give me any clue as to what it hears :-)
On the server, lsof -nP -i4 doesn't show anything that I can identify
as the culprit. Most of the tcp activity comes from either rpc.statd
and related files of dovecot IMAP. Mail is checked every 5 minutes
during working hours, so if it is that, I would expect to see more
consistent drops.
What do you think? Am I making false assumptions?
Anne
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/29mUACgkQj93fyh4cnBcqiwCgi5+O73h4f8GDG/geFSrhgNk/
hcUAniqupT8kIhfZ339okypDaVvrR49T
=gGsJ
-----END PGP SIGNATURE-----
Check with lsof on the laptop what process is listening on that port. A
LISTEN means that it is waiting for a connection, but nothing is
actually actively communicating via that port. The 0.0.0.0 means it is
listening on all interfaces/IP ranges.
--
Mr. Mark V. Stodola
Senior Control Systems Engineer
National Electrostatics Corp.
P.O. Box 620310
Middleton, WI 53562-0310 USA
Phone: (608) 831-7600
Fax: (608) 831-9591
