[Gllug] Network Traffic
Andy Loates
andy at the-bizz.demon.co.uk
Sun Oct 13 18:32:08 UTC 2002
Ian Northeast wrote:
> Andy Loates wrote:
>
>>Hi
>>
>>Apologies for this simple question.
>>
>>My internet (ISDN) connection refuses to close down after the specified
>>idle time - 4 mins - ie some process is making it stay up.
>>
>>There is a utility/command that is similar to 'tail -f /var/log/---' for
>>files that shows you all network traffic as it occurs. I've used it
>>before but I must have thrown the reference to it away and no matter of
>>looking through manuals, Books, google etc can i find it.
>
>
> Tcpdump is what you want.
>
> Regards, Ian
>
Thanks for the pointers guys. Tcpdump was the thing I remember. For some
reason, probably me, it wasnt loaded on my machine.
Scanning eth0 dosn't give me any clues though, nothing but what i'd
expect to see.
Scanning ippp0 -ISDN- interface iget the following sort of info:
13:07:15.747040 *.*.*.* > 24.221.73.159: icmp: *.*.*.* udp port 1978
unreachable [tos 0xc0]
13:07:15.920482 212.100.224.180.1978 > *.*.*.*.1978: udp 41 (DF)
13:07:15.920644 *.*.*.* > 212.100.224.180: icmp: *.*.*.* udp port 1978
unreachable [tos 0xc0]
13:07:16.070478 212.187.157.14.1978 > *.*.*.*.1978: udp 41 (DF)
13:07:16.070734 *.*.*.* > 212.187.157.14: icmp: *.*.*.* udp port 1978
unreachable [tos 0xc0]
13:07:16.444247 202.75.47.51.1978 > *.*.*.*.1978: udp 60 (DF)
13:07:16.444447 *.*.*.* > 202.75.47.51: icmp: *.*.*.* udp port 1978
unreachable [tos 0xc0]
13:07:16.639485 164.100.199.11.1978 > *.*.*.*.1978: udp 41 (DF)
13:07:16.639651 *.*.*.* > 164.100.199.11: icmp: *.*.*.* udp port 1978
unreachable [tos 0xc0]
13:07:16.990001 218.32.219.3.1978 > *.*.*.*.1978: udp 60 (DF)
13:07:16.990196 *.*.*.* > 218.32.219.3: icmp: *.*.*.* udp port 1978
unreachable [tos 0xc0]
13:07:18.144862 213.53.196.147.1978 > *.*.*.*.1978: udp 41 (DF)
13:07:18.145157 *.*.*.* > 213.53.196.147: icmp: *.*.*.* udp port 1978
unreachable [tos 0xc0]
13:07:18.355753 211.239.121.193.1978 > *.*.*.*.1978: udp 41 (DF)
13:07:18.355926 *.*.*.* > 211.239.121.193: icmp: *.*.*.* udp port 1978
unreachable [tos 0xc0]
13:07:18.670006 211.161.196.147.1978 > *.*.*.*.1978: udp 41 (DF)
13:07:18.670206 *.*.*.* > 211.161.196.147: icmp: *.*.*.* udp port 1978
unreachable [tos 0xc0]
13:07:18.887505 202.64.60.58.1978 > *.*.*.*.1978: udp 60 (DF)
13:07:18.887667 *.*.*.* > 202.64.60.58: icmp: *.*.*.* udp port 1978
unreachable [tos 0xc0]
13:07:19.134123 62.70.0.50.1978 > *.*.*.*.1978: udp 41 (DF)
13:07:19.134324 *.*.*.* > 62.70.0.50: icmp: *.*.*.* udp port 1978
unreachable [tos 0xc0]
13:07:19.418878 65.103.177.11.1978 > *.*.*.*.1978: udp 41 (DF)
13:07:19.419056 *.*.*.* > 65.103.177.11: icmp: *.*.*.* udp port 1978
unreachable [tos 0xc0]
13:07:19.428497 202.56.247.99.1978 > *.*.*.*.1978: udp 41 (DF)
13:07:19.428631 *.*.*.* > 202.56.247.99: icmp: *.*.*.* udp port 1978
unreachable [tos 0xc0]
the *.*.*.* is my static ip address from demon
Apologies if i get any of the following wrong, i'm no expert in this.
Some service - DNS? - is using my box, trying to get in on port 1978
using UDP service 60 or 41. Checked my /etc/services file and i have no
port/service on tcp 1978, udp 41 or udp 60.
Most if not all the ip addresses seem to come from Name servers and some
from root servers
All this started on Thursday arounr 3pm. The box had been up for about 8
days behaving normally. I've tried turning off my local caching name
server but all this does is turn the tcpdump output from FQD to
***.***.***.*** format.
Can anyone shed any light on whats going on here. Any ideas gratfully
recieved
Many thanks
Andy
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list