Ubuntu Networking :: Tcpdump Shows Lots Of Activity
Jan 24, 2011
The only window that's open is the terminal running this command, no pidgin, skype, samba, torrent or anything I can think of is using the network yet there is ***** load of output from tcpdump. I was hoping to use this to check where certain applications connect to and what messages they send but when I'm doing nothing there is already more output than I can go through. Running tcpdump for less than 10 seconds gives me the following output:
Code:
16:13:22.015683 IP ns.hihkptt.net.cn.domain > desk.local.56598: 46887 1/2/2 (166)
16:13:22.016251 IP ns.hihkptt.net.cn.domain > desk.local.60099: 21168 1/2/2 (166)
16:13:22.016743 IP ns.hihkptt.net.cn.domain > desk.local.42325: 50346 1/2/2 (166)
16:13:22.034733 IP ns.hihkptt.net.cn.domain > desk.local.41441: 63658 1/2/0 (134)
16:13:22.035215 IP ns.hihkptt.net.cn.domain > desk.local.42865: 37537 1/2/0 (134)
16:13:22.036124 IP ns.hihkptt.net.cn.domain > desk.local.35006: 7520 1/2/0 (134)
16:13:22.036569 IP ns.hihkptt.net.cn.domain > desk.local.38480: 51322 1/2/0 (134)
16:13:22.066006 ARP, Reply 192.168.0.1 is-at 00:b0:0c:02:60:9c (oui Unknown), length 46 .....
I have set the iptables INPUT policy to DROP. As I have expected tcpdump wasn't showing any packages... for a while. Suddenly it begun to show UDP syslog packages being sent by a remote host. It is conform with the configuration of syslog, but since the INPUT policy was set to DROP, with no exceptions, it is not conform with configuration of iptables. Why after setting INPUT policy to DROP, with no exceptions most of the packets recieved before are being dropped and some not, as tcpdump shows?
modinfo -l shows a ton of different video drivers, from matrox to ATI. Are all these drivers currently loaded my kernel, and is it ok to disable all but nvidiafb (since my system if 100% nvidia)?
Was wondering if this is normal. I have a laptop which is about a year old. Recently my battery died (it last 10-15 minutes instead of 3-4 hours as it was before). I ordered a new one. While waiting for the new one I started to investigate power consumers (processes) on my machine. I run slackware64-current. with 2.6.33-rc4-git7 kernel. config - is slightly modified config-generic from -current. I attach t here for any case. Here is the output of powertop:
How can I track down what's using my nic and kill it (if appropriate). There are no applications running which might be authorized to send and receive packages, so I don't really know why the System Monitor shows network activity.
I am currently in the process of moving around 20TB of data from one server to another. Security is not a concern, since the data are freely available to anyone on our network anyway. There are a couple of things that I'm trying to decide on:
(1) protocol choice
Of all the choices I have--nfs, ftp, scp, rsync, samba--has anyone done any benchmarking to show which would be the fastest/most robust transfer protocol? I know nfs has slow write speeds for synchronous transfers. Asynchronous would be faster, but less robust. I'm leaning toward rsync since it performs md5sums to confirm the file transfers. (Remember if there's a 1 in a billion chance that a byte will get corrupted, then I'll have 20,000 corrupt bytes in the transfer.)
(2) Nautilus emblems
We use emblems in Nautilus to categorize files. The old and the new server have the same directory structure.Is there any way to copy the Nautilus emblems from the old server to the new server. What I want is that if a user had marked a particular file with a star on the old server, then that file would be marked with a star on the new server when he/she logs in.
I tried to do a scheduled software update several times today (8/20/11) and nothing seems to download, though I do get the "Downloading" PackageKit dialog message (the System Monitor shows practically no network activity). In between tries I downloaded some 600 MB .iso files (about 10 minutes each) so I know my internet is working properly. That leaves either PackageKit got hosed in my last update, or servers are down.
I am trying to create a dump log using tcpdump. I want display the top 10 ip addresses sorted numerically showing how many times the ips are hitting the server. I'm getting frustrated because It's not working how I'd like it to.
Is there a way to do multiple interfaces in tcpdump? I have found that when using "-i any", not all packets are captured (compared to "-i eth0" on a machine with only one interface). I need to monitor traffic on some machines with as many as 6 interfaces, and get these packets that "-i any" misses. When I give the "-i" option multiple times, it seems to only use the last one.
I'm trying to capture packets to a file with the -w option but the file is empty yet if I use the '-w -' option to put data on stdout I see plenty of captured packets.I'm using CentOS 5.5 x86
I have a Philips SNU5600 wifi dongle. My wifi network isn't particularly strong, but it has always been reliable, even when downloading and uploading large files such as ISOs to the internet.
I recently bought a NAS, and when I run rsync or try and copy a large file (eg 6 gigs) to the NAS, the connection will eventually fail.
The error message in /var/log/debug is:
Code:
I have read elsewhere that this is a problem with the Minstrel algorithm, so I have tried disabling that by creating /etc/modprobe.d/80211.conf with the following line in it:
Code:
And when I reboot, I am able to run "cat /sys/module/mac80211/parameters/ieee80211_default_rc_algo" and the output is "pid".
However, in my /var/log/debug, there is still the line:
Code:
Here is the output from a few other commands for extra information:
Code:
Code:
Code:
Code:
- The problem has only been around since I got the NAS, and only happens when copying files TO the NAS. Downloading/uploading to internet doesn't cause the same problem. - This problem happens on two machines both with the same wifi dongle. - This problem doesn't happen on a laptop running the Intel iwl3945 driver, nor with machines connected via cables, so it is not the NAS which is at fault.
I would like to set up tcpdump to rotate log file every 1 hour and retain files for the lat 14 days but I don't think any combination of -C and -W would allow me to do that (Atleast I haven't been able to figure it out), so I am trying to rotate the files every X number of MB and retain the last 20 files. This seems to be fairly simple with the '-C X -W 20' option but I am having some trouble in customizing the names of the log files. I have tried '-w capture-$(date +%Y-%M-%d-%H:%M-)' thinking that each file would start with the current date and time but all files are using the date and time when the capture was started so the only difference is the number at the end (which is done by -W). if I can customize the names of the file so that it has the date and time when the capture in started. In fact if I can do that, I dont need the numbers that '-W' appends at the end but I dont know how to get rid of them.
I'm running NetWare SLES 10 sp3 with OES2 sp2. I was working with the folks at Novell to resolve an iPrint Print Manager problem.
During the process they wanted to perform a packet capture using tcpdump. While logged in as the root user the error no suitable device was found, and I received no data at all. This server is running on a VMWare Center. On other SLES 10 sp3 systems (residing on that same VMWre Center), tcpdump captures packets just fine. I inherited all of these servers, so I wasn't here during the initial build, but I'd make the guess that they were configured similarly. On a Server that I built recently, tcpdump works fine. On two of my Servers it does not, and gives the mentioned error.
It's not that big a deal, otherwise the Servers are communicating and working just fine. But, I'd like to get it working just because it's supposed to work. Students are off for the summer, so I have time to play.
I have configured NFS Server on CentOS 5.2 with IBM Web Server,which is having AIX 5.3 The IBM Web Server can upload all data onto NFS Server. Now, Today i was having slow response on IBM Web Server & by measuring the NFS, i found below error while running "tcpdump" command on CentOS Server.
tcpdump -n -i eth1 | grep 2049 18:36:37.237451 IP 10.100.19.241.2049 > 10.100.19.88.1758143293: reply ok 1448 read [|nfs] 18:36:37.237476 IP 10.100.19.241.2049 > 10.100.19.88.539981409: reply ERR 1448 18:36:37.237481 IP 10.100.19.241.2049 > 10.100.19.88.796287348: reply ERR 1448
[code]....
I have changed Network Card in CentOS. All LAN is on Gigabit Network. Also I have changed the Network Cable(Patch Cord). But,still no response.
I have a linux box with two interfaces: eth0 is a builtin and eth1 is a USB-LAN.
There is an IP configured on eth1.
eth0 is up but no IP is configured. This interface is used for sniffing with tcpdump.
The problem is that eth0 frequently stops receiving packets -- my tcpdump captures are empty, and if I look at the interface stats with ifconfig, I can see that no packets are received.
If I bounce the interface (ifconfig eth0 down; ifconfig eth0 up), it starts receiving packets again.
I am running a test to determine when packet drops occur. I'm using a Spirent TestCenter through a switch (necessary to aggregate Ethernet traffic from 5 ports to one optical link) to a server using a Myricom card.While running my test, if the input rate is below a certain value, ethtool does not report any drop (except dropped_multicast_filtered which is incrementing at a very slow rate). However, tcpdump reports X number of packets "dropped by kernel". Then if I increase the input rate, ethtool reports drops but "ifconfig eth2" does not. In fact, ifconfig doesn't seem to report any packet drops at all. Do they all measure packet drops at different "levels", i.e. ethtool at the NIC level, tcpdump at the kernel level etc?nd am I right to say that in the journey of an incoming packet, the NIC level is the "so-called" first level, then the kernel, then the user application? So any packet drop is likely to happen first at the NIC, then the kernel, then the user application? So if there is no packet drop at the NIC, but packet drop at the kernel, then the bottleneck is not at the NIC?
I have a need to make a rather odd filter in tcpdump- I would like to capture only all those packages on interface eth0, that are outgoing(in other words from IP 192.168.1.1, which is IP for eth0 in this computer) and doesn't have src MAC address 11:22:33:44:55:66. However, fallowing command says, that syntax is wrong:
Code: tcpdump -n -p -i eth0 src host 192.168.1.1 ether src not 11:22:33:44:55:66 Is this possible? If yes, then what is the correct command?
I have a WAN network that i need to do some analysis on, for the traffic flows. I did lots of googling to figure out what useful tool to collect the packet informations.I found this site [URL]..witch i made great use of to recognize the tcpdum tool. I also have a network simulator on windows platform wich is Opnet Guru, (by the way.. is there a linux version for this simulator?).
MY QUESTION IS: How can i feed the Opnet Guru with the flows data collected with the
Code: tcpdump with its different options?
NOTE: in the Opnet Guru invironment there is an object called the profile that is beeing used to customize and genarate data flows with the desired characteristics to simulate the real flows. So i need to feed the Opnet with the fresh data collected with the tcpdump tool (command) instead of using the built-in profile.. i hope i was clear enough..
I have a question regarding packet drops. I am running a test to determine when packet drops occur. I'm using a Spirent TestCenter through a switch (necessary to aggregate Ethernet traffic from 5 ports to one optical link) to a server using a Myricom card. While running my test, if the input rate is below a certain value, ethtool does not report any drop (except dropped_multicast_filtered which is incrementing at a very slow rate). However, tcpdump reports X number of packets "dropped by kernel". Then if I increase the input rate, ethtool reports drops but "ifconfig eth2" does not.
In fact, ifconfig doesn't seem to report any packet drops at all. Do they all measure packet drops at different "levels", i.e. ethtool at the NIC level, tcpdump at the kernel level etc? And am I right to say that in the journey of an incoming packet, the NIC level is the "so-called" first level, then the kernel, then the user application? So any packet drop is likely to happen first at the NIC, then the kernel, then the user application? So if there is no packet drop at the NIC, but packet drop at the kernel, then the bottleneck is not at the NIC?
I have a WAN network that i need to do some analysis on, for the traffic flows. I did lots of googling to figure out what useful tool to collect the packet informations.I found this site http://scrutin.wordpress.com/2007/04...-tcpdump/witch i made great use of to recognize the tcpdum tool. I also have a network simulator on windows platform wich is Opnet Guru, (by the way.. is there a linux version for this simulator?). MY QUESTION IS:: How can i feed the Opnet Guru with the flows data collected with the Code: tcpdumpwith its different options? NOTE: in the Opnet Guru invironment there is an object called the profile that is being used to customize and genarate data flows with the desired characteristics to simulate the real flows. So i need to feed the Opnet with the fresh data collected with the tcpdump tool (command) instead of using the built-in profile.
I need to have the ability as network administrator to see what everyone connected to our internet is doing, the sites their visiting and emails being sent.
I am trying to figure out how to set ALL of my network activity to go through tor. I have set my network proxy configurations to tor and polipo settings (127.0.0.1:8118 for http and 127.0.0.1:9050 for socks) works great in firefox, but if I nmap scan my router, it says that the incoming signal came from my other ip.. yes I have 2 internet connections, no I am not a hacker. so, I am wondering what I am missiing here, it has to be something simple, just a line I need to add to a config file or something.
I have a Centos router and I want a tool that can give me reports accessible from a browser about the users web activity. I need two type of daily reports:- list of web pages accessed by each local host- list of all web pages accessed by all local hosts and lit of local hosts that accessed one specific web pageI tried ntop and is not really suitable for what I need. Maybe it can do what I need, but I have to make several improvisations.
I had a problem with the new network manager a week ago and got it solved with help from the forum so now I'm back again. I have a dual boot with Windows 7 (I have to use it when serving my corporate masters) so I wasn't in my Fedora partition much this week. I just noticed this and I'm positive it wasn't doing it before my network manager problem but I'm not sure when it started or if they're related. I'm running F15. The machine is an HP Elitebook 8440p and has a wifi light that is also a touch button to turn the wireless on/off. Whenever there is activity on the network now it blinks between orange and blue. I know that isn't really a big deal but it's really annoying and is driving me completely nuts!! The normal behavior is orange when it's off, solid blue when it's on (or connected) and blinks orange/blue just while it's connecting. During network activity it's always been just solid blue and that's what I want. I found a script that some Ubuntu users said fixed the same problem but when I tried to copy it the directory they said to put it in "/etc/network/ifup.d" doesn't exist. I'm assuming that's a distro difference between Ubuntu and Fedora? Has anyone else seen this? Any ideas how to fix it?
I have a Dell PowerEdge 1950 with Centos 5.4 installed. I am having an issue where there is no network activity on any of the NIC's.(Broadcom and Intel).
I have read that this might be somewhat common but have not found any solutions. I am unable to ping anything internal or external. Has anyone encountered this problem and have a potential fix?
I upgraded from Fedora 10 to Fedora 11 last night in response to a pop up window. When I rebooted after the upgrade my wife immediately complained about the internet not working. Actually the connection up was working but Fedora 11 upgrade had made it slow almost to a stop There are two XP machines the network behind a local D-Link wireless router with Comcast high speed internet. When I disable networking on the Fedora machine the internet connection immediately returns to normal on the other two machines. Also there is a second or two period after enabling networking for a quick upload or download before the connection clogs.I checked the system monitor network history and found that there is a constant networking send rate of just under 180 kb/s in the background.This occurs even when the browser, email client, and automatic backup are off and the only process showing significant CPU use in the system monitor is the monitor itself.
I tried netstat but there were so many /tmp/orbit entries that I could not scroll up to the top of the listing. Is this normal. If so, does anyone know the netstat command options to just see connections with sent packets. I also tried ifconfig -a. This shows no Rx packets at all, and no TX packets except on eth0, The total etho TX packets matches t,he reported by the system monitor, and in the monitor you can watch the total accumulate in approx 180 kb/sec increments. I don't understand why 180kb/sec TX would make a dramatic difference in internet network internet speed. Comcast reports upload speeds in megabytes. I need to be able to use the net in Federa, but I am also curious to learn what is the caused the problem.
