[opensuse] netstat -inc showing steady flow of packets, why?
All, I happened to notice that one of my machines that should be basically idle is showing about 20 packets a second coming in and out. This server is running samba and connected to a small network, but the volume is to small and slow to be a user interacting with the share. And I connected in via ssh to initiate the command, but I *assume* that the below is not all due to my ssh section. (ie. I hope am not just seeing the packets generated by me watching. Ooh, spooky physics time.) === # netstat -inc Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth2 1500 013513328 0 0 020660318 1 0 0 BMRU lo 16436 0 3 0 0 0 3 0 0 0 LRU Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth2 1500 0 20 0 0 0 19 0 0 0 BMRU lo 16436 0 0 0 0 0 0 0 0 0 LRU Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth2 1500 0 21 0 0 0 19 0 0 0 BMRU lo 16436 0 0 0 0 0 0 0 0 0 LRU Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth2 1500 0 24 0 0 0 25 0 0 0 BMRU lo 16436 0 0 0 0 0 0 0 0 0 LRU And it continues like that for a long time. I've spot checked at various times since I noticed this yesterday. Greg -- Greg Freemyer Litigation Triage Solutions Specialist http://www.linkedin.com/in/gregfreemyer First 99 Days Litigation White Paper - http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf The Norcross Group The Intersection of Evidence & Technology http://www.norcrossgroup.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greg Freemyer wrote:
All,
I happened to notice that one of my machines that should be basically idle is showing about 20 packets a second coming in and out.
This server is running samba and connected to a small network, but the volume is to small and slow to be a user interacting with the share.
And I connected in via ssh to initiate the command, but I *assume* that the below is not all due to my ssh section. (ie. I hope am not just seeing the packets generated by me watching. Ooh, spooky physics time.)
=== # netstat -inc Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth2 1500 013513328 0 0 020660318 1 0 0 BMRU lo 16436 0 3 0 0 0 3 0 0 0 LRU Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth2 1500 0 20 0 0 0 19 0 0 0 BMRU lo 16436 0 0 0 0 0 0 0 0 0 LRU Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth2 1500 0 21 0 0 0 19 0 0 0 BMRU lo 16436 0 0 0 0 0 0 0 0 0 LRU Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth2 1500 0 24 0 0 0 25 0 0 0 BMRU lo 16436 0 0 0 0 0 0 0 0 0 LRU
And it continues like that for a long time. I've spot checked at various times since I noticed this yesterday.
Greg
I think you need to read up on windows networking in the samba docs. There is usually a fair of 'whos there' <-> 'i am here' chat in the background, as well a the browser master election stuff. A windows network is never completely idle unless something got broken (and then you could be in real trouble). - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkmyZMQACgkQasN0sSnLmgJ61gCgwqoi1JzA2OI4ncA5K3ZTSjl2 63sAoONqqcHYh6Tw953vZeyyEgFnj0mg =kxL9 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2009-03-06 at 11:45 -0500, Greg Freemyer wrote:
I happened to notice that one of my machines that should be basically idle is showing about 20 packets a second coming in and out.
Try "iptraf" instead. It will show the activity per IP and port. You can also try "ntop" (http://localhost:3000/), which will show nice stats and graphs about your network. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmygH8ACgkQtTMYHG2NR9XlfgCfXGxul18Xnu/VuvHkYXuwGxkU HwoAniIC8HrWmLWLQnHNlT3eZVJfXLmf =VzUX -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Saturday March 7 2009, Carlos E. R. wrote:
On Friday, 2009-03-06 at 11:45 -0500, Greg Freemyer wrote:
I happened to notice that one of my machines that should be basically idle is showing about 20 packets a second coming in and out.
Try "iptraf" instead. It will show the activity per IP and port.
This was new to me, so some facts: - It's found in its own, eponymous package. - Must be run by root - Is a curses app (like the non-GUI YaST, e.g.). At a quick glance, it's a bit like WireShark, but as far as I can tell, you can't see packet contents and it doesn't know about higher-level protocols such as TCP.
You can also try "ntop" (http://localhost:3000/), which will show nice stats and graphs about your network.
- Also found in its own eponymous package - Is accessed via Web interface (on port 3000, as Carlos shows). - Must initially be configured using "ntop -A -u wwwrun" and supplying an administrator password when prompted. - Must be enabled using "/etc/init.d/ntop start" after installation and configuration. - For routine use, enable it for network-enabled run levels (3 & 5) using YaST -> System -> System Services (runlevel).
-- Cheers, Carlos E. R.
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2009-03-07 at 06:39 -0800, Randall R Schulz wrote:
On Saturday March 7 2009, Carlos E. R. wrote:
Try "iptraf" instead. It will show the activity per IP and port.
This was new to me, so some facts:
- It's found in its own, eponymous package. - Must be run by root - Is a curses app (like the non-GUI YaST, e.g.).
At a quick glance, it's a bit like WireShark, but as far as I can tell, you can't see packet contents and it doesn't know about higher-level protocols such as TCP.
No, it doesn't look inside packages, just the info on connections: which IP is connected to which port, and hown many packages have passed. On another mode it shows global speed and few things more. It can resolve IP names, and also ports (services) names.
You can also try "ntop" (http://localhost:3000/), which will show nice stats and graphs about your network.
- Also found in its own eponymous package - Is accessed via Web interface (on port 3000, as Carlos shows). - Must initially be configured using "ntop -A -u wwwrun" and supplying an administrator password when prompted.
I think that "rcntop start" should do that the first time :-?
- Must be enabled using "/etc/init.d/ntop start" after installation and configuration. - For routine use, enable it for network-enabled run levels (3 & 5) using YaST -> System -> System Services (runlevel).
or "chkconfig ntop on". - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmyn1MACgkQtTMYHG2NR9XFHgCfZTkKRDktwT111TN1vYkFePOP YosAn192L2uZclBaFG79iJ0IIS5YIbhr =UltB -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Saturday March 7 2009, Carlos E. R. wrote:
...
You can also try "ntop" (http://localhost:3000/), which will show nice stats and graphs about your network.
After running this for a while, I see endlessly fascinating facts and statistics regarding stuff I never cared about before, all presented with pretty plots, pie charts and tables. It's got menus, options, plug-ins and all manner of fun stuff. Woo-Hoo!
-- Cheers, Carlos E. R.
RRS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2009-03-07 at 07:29 -0800, Randall R Schulz wrote:
On Saturday March 7 2009, Carlos E. R. wrote:
...
You can also try "ntop" (http://localhost:3000/), which will show nice stats and graphs about your network.
After running this for a while, I see endlessly fascinating facts and statistics regarding stuff I never cared about before, all presented with pretty plots, pie charts and tables. It's got menus, options, plug-ins and all manner of fun stuff.
Woo-Hoo!
I know, it's fascinating :-) But be aware that it uses resources, memory usage grows with time. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmynXgACgkQtTMYHG2NR9UfpwCfbQURyw50Pn+WLq1qSKuqKkgz 3AIAnifZ1tkKxLf1G0ibgy55CCXkTdCs =jYQp -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Saturday March 7 2009, Carlos E. R. wrote:
...
But be aware that it uses resources, memory usage grows with time.
Some weird stuff, too, though it's only a suspicion / hunch so far that it's ntop. The first thing I noticed was that after starting the ntop daemon, IDEA (JetBrains / IntelliJ Java IDE) hung when starting up for the first time ever and I had to kill it. I suspected it might have tried to connect to port 3000 for some reason (it's a very large and complicated program with many plug-ins that uses network connections of many sorts), so I stopped the ntop daemon and restarted IDEA. It did not hang that time, though this doesn't prove anything about an possible interaction between ntop and IDEA. Then I looked in /var/log/messages and noticed that at the same time that I had shut down the ntop daemon, this was logged: Mar 7 08:46:44 twain kernel: device eth0 left promiscuous mode Which strongly suggests that ntop puts interfaces in promiscuous mode, which is something I'd prefer not to do on a permanent or ongoing basis. The ntop daemon also failed to shut down cleantly, with this log entry immediately following the preceding one: Mar 7 08:46:44 twain kernel: ntop[18742]: segfault at 11c ip b75313fc sp b181d2f0 error 4 in libpcap.so.0.9.8 [b752c000+32000]
-- Cheers, Carlos E. R.
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2009-03-07 at 09:05 -0800, Randall R Schulz wrote:
Then I looked in /var/log/messages and noticed that at the same time that I had shut down the ntop daemon, this was logged:
Mar 7 08:46:44 twain kernel: device eth0 left promiscuous mode
Which strongly suggests that ntop puts interfaces in promiscuous mode, which is something I'd prefer not to do on a permanent or ongoing basis.
Yes, it has to use promiscuous mode in order to sniff the network: that's the way it can learn the connections that are going around in the network besides your own computer. Now, where is ntop configured? There is a directory in "/etc/ntop/", but I don't see configuration files there. I think it is configured directly via the web interface - I'm looking for a way to disable promiscuous mode. On the other hand, if you are connected to a switch, that should cut off the rest of the traffic, so promiscuous mode has no effect.
The ntop daemon also failed to shut down cleantly, with this log entry immediately following the preceding one:
Mar 7 08:46:44 twain kernel: ntop[18742]: segfault at 11c ip b75313fc sp b181d2f0 error 4 in libpcap.so.0.9.8 [b752c000+32000]
Well, that's a bug, you should report that one to bugzilla. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmyxwEACgkQtTMYHG2NR9XK3ACfWl/7iriyGP3FmQCAYdEo+DLi wWYAoJGTCzJBeXAg18CE0Z4ON8UjAnyi =N7tg -----END PGP SIGNATURE-----
On Saturday March 7 2009, Carlos E. R. wrote:
On Saturday, 2009-03-07 at 09:05 -0800, Randall R Schulz wrote:
...
Now, where is ntop configured? There is a directory in "/etc/ntop/", but I don't see configuration files there. I think it is configured directly via the web interface - I'm looking for a way to disable promiscuous mode.
/etc/sysconfig/ntop
...
The ntop daemon also failed to shut down cleantly, with this log entry immediately following the preceding one:
Mar 7 08:46:44 twain kernel: ntop[18742]: segfault at 11c ip b7531 3fc sp b181d2f0 error 4 in libpcap.so.0.9.8 [b752c000+32000]
Well, that's a bug, you should report that one to bugzilla.
Bugzilla? I think I hear my dentist calling... RRS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2009-03-07 at 11:23 -0800, Randall R Schulz wrote:
Now, where is ntop configured? There is a directory in "/etc/ntop/", but I don't see configuration files there. I think it is configured directly via the web interface - I'm looking for a way to disable promiscuous mode.
/etc/sysconfig/ntop
ah, startup options, I guess.
Mar 7 08:46:44 twain kernel: ntop[18742]: segfault at 11c ip b7531 3fc sp b181d2f0 error 4 in libpcap.so.0.9.8 [b752c000+32000]
Well, that's a bug, you should report that one to bugzilla.
Bugzilla? I think I hear my dentist calling...
X'-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmy3jMACgkQtTMYHG2NR9UBCACfXq3UU/4ZnZrVPukMweNg9fDz FkcAn0O2kkISitUgDnxJfVFuQj4EUQMv =m+BS -----END PGP SIGNATURE-----
On Saturday March 7 2009, Carlos E. R. wrote:
On Saturday, 2009-03-07 at 11:23 -0800, Randall R Schulz wrote:
Now, where is ntop configured? There is a directory in "/etc/ntop/", but I don't see configuration files there. I think it is configured directly via the web interface - I'm looking for a way to disable promiscuous mode.
/etc/sysconfig/ntop
ah, startup options, I guess.
Yes, use -s / --no-promiscuous in NTOP_ARGS.
...
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Saturday March 7 2009, Randall R Schulz wrote:
...
The first thing I noticed was that after starting the ntop daemon, IDEA (JetBrains / IntelliJ Java IDE) hung when starting up for the first time ever and I had to kill it. I suspected it might have tried to connect to port 3000 for some reason (it's a very large and complicated program with many plug-ins that uses network connections of many sorts), so I stopped the ntop daemon and restarted IDEA. It did not hang that time, though this doesn't prove anything about an possible interaction between ntop and IDEA.
Despite the fact that killing IDEA to get out of this hang necessitates a very length regeneration of its index files, I decided to try this once again (after running a few times without incident with the ntop daemon not running) and again IDEA hung during start-up. So clearly there's some interference here. I don't yet know what IDEA is trying to connect to on the local host's port 3000, but it's clearly optional, since the absence of anything using that port never causes a problem. Having glanced at ntop's configuration file, I notice that its default use of port 3000 can be reconfigured there, should all else fail. My next problem? Firefox keeps crashing when I try to start a new thread on the IDEA forums (Clearspace 2.5.4 from Jive software). That's about the only way for me to find out what might be happening with this port 3000 interaction... Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Carlos E. R.
-
G T Smith
-
Greg Freemyer
-
Randall R Schulz