LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 11-17-2004, 10:44 AM   #1
jonr
Senior Member
 
Registered: Jan 2003
Location: Kansas City, Missouri, USA
Distribution: Ubuntu
Posts: 1,040

Rep: Reputation: 47
Dropped packet logging


A few weeks ago I thought one hard drive was on its way toward failing because of rhythmic thumping noises from it. Today I found out what was probably causing the noise: logging of a huge number of dropped packets. A very small sample:
Code:
Nov 17 09:02:41 bodhisattva kernel: DROPPED IN=ppp0 OUT= MAC= SRC=169.233.22.231 DST=66.143.32.164 LEN=63 TOS=0x00 PREC=0x00 TTL=114 ID=25967 PROTO=UDP SPT=1172 DPT=1692 LEN=43 
Nov 17 09:02:42 bodhisattva kernel: DROPPED IN=ppp0 OUT= MAC= SRC=67.23.126.230 DST=66.143.32.164 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=52037 DF PROTO=TCP SPT=42975 DPT=6347 SEQ=533779148 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204054801010402) 
Nov 17 09:02:42 bodhisattva kernel: DROPPED IN=ppp0 OUT= MAC= SRC=212.123.187.197 DST=66.143.32.164 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=46416 DF PROTO=TCP SPT=52054 DPT=6347 SEQ=3595184593 ACK=0 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (0204058401010402) 
Nov 17 09:02:43 bodhisattva kernel: DROPPED IN=ppp0 OUT= MAC= SRC=66.24.12.255 DST=66.143.32.164 LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=43480 DF PROTO=TCP SPT=4877 DPT=6347 SEQ=1201091308 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (0204058401010402) 
Nov 17 09:02:44 bodhisattva kernel: DROPPED IN=ppp0 OUT= MAC= SRC=169.233.22.231 DST=66.143.32.164 LEN=63 TOS=0x00 PREC=0x00 TTL=114 ID=26200 PROTO=UDP SPT=1172 DPT=1692 LEN=43
Two questions which despite looking through posts here I can't find the answer to:

(1) Should I be concerned?

(2) Is there a way to disable logging this stuff, since it just interferes with normal operations and is a burden on the hard drive?

I have a regular ADSL setup with dynamic address assignment, and the DNS servers of my ISP are specified at startup. I use iptables with Guarddog as a frontend and the only protocols I permit are HTTP, HTTPS, POP3, POP3S, ping, traceroute, DNS, Real Networks access (for audio/video), and one high-numbered port TCP access that I use for administering webspace that I lease.

These dropped packets seem to occur at any time of day or night unpredictably.
 
Old 11-17-2004, 05:24 PM   #2
guzzi
Member
 
Registered: Jun 2004
Location: Lawrence, KS
Distribution: Slackware
Posts: 294

Rep: Reputation: 32
packet logging

What you have, looks like the normal stuff that uses up bandwidth.

On a 486 firewall unit running Slackware and IP tables, I have quit logging the dropped packets.
In my IPtables script was a line:
iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "

by placing the # in front of that line, the logging ended.

Thanks for posting that portion of your log. It lets me know that others have the same issue.
 
Old 11-17-2004, 05:31 PM   #3
jonr
Senior Member
 
Registered: Jan 2003
Location: Kansas City, Missouri, USA
Distribution: Ubuntu
Posts: 1,040

Original Poster
Rep: Reputation: 47
I did the same as you, but by using Guarddog to disable logging, since I'm no iptables whiz!

Do you think these probes represent attempted probes by ill-meaning parties, or what?

I know that ISP's will sometimes probe their customers' machines pretty frequently for one reason or another, but I don't know if that applies to DSL users as well as dial-up. Anyway, supposedly nothing gets through my firewall except via the protocols I set up, and GRP's "Shields Up" test always results in a "perfect stealth" rating....
 
Old 11-17-2004, 06:54 PM   #4
guzzi
Member
 
Registered: Jun 2004
Location: Lawrence, KS
Distribution: Slackware
Posts: 294

Rep: Reputation: 32
LOL, I am no iptables whiz either, but this forum has provided me with lots of info.

The shields up thing is what I too use, with the same results. Also, my wife is a die hard W2000 person running Norton 2004 Internet Security. We have found that she never gets an alert when she connects to the net through the linux firewall. But when going through her external modem, alerts are very common.

From what I have seen, most of the unrequested packet traffic is from Windows boxes that have been taken over. Many of the people I know running Windows don't understand, or care about security, until their box starts to really slow down, or stop working. At that point they get serious, but only until someone fixes it for them.

My ISP "myvine" indicated to me that infected Windows boxes are a problem, but not one they are willing to deal with. I guess that as long as people make their connection payment, the ISP's are happy.

Take Care
 
Old 11-17-2004, 07:34 PM   #5
jonr
Senior Member
 
Registered: Jan 2003
Location: Kansas City, Missouri, USA
Distribution: Ubuntu
Posts: 1,040

Original Poster
Rep: Reputation: 47
Thanks for the insight. I get quite a bit of spoofed email, and I imagine some of the same computers that have been hijacked for that purpose are also sending out these pings or whatever they are. My ISP (sbcglobal.net) threatened to suspend the accounts of users who didn't apply firewalls and antivirus to their Windows machines, but I never heard if they actually did or not. Even if they did, there would be plenty of other ISP's putting up with this stuff--and no guarantee that any users would properly protect their machines anyway.

Oh, well. Glad I use Linux--at least so far!
 
Old 11-18-2004, 05:51 AM   #6
TreeHugger
Member
 
Registered: Jul 2003
Location: London
Distribution: Debian, Redhat
Posts: 98

Rep: Reputation: 15
I don't know how you would configure it with guarddog, but you can set up iptables logging like this:

iptables -A kill_bad -p tcp ! --syn -m state --state NEW \
-m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-level info --log-prefix "New not syn:"


and that stuff with 'limit' will make sure you only see a maximum of 3 logs a minute.
 
Old 11-18-2004, 08:25 AM   #7
jonr
Senior Member
 
Registered: Jan 2003
Location: Kansas City, Missouri, USA
Distribution: Ubuntu
Posts: 1,040

Original Poster
Rep: Reputation: 47
Quote:
Originally posted by TreeHugger
...

and that stuff with 'limit' will make sure you only see a maximum of 3 logs a minute.
Thanks! I'll copy that for future reference. For now, I just have all logging turned off; it seems to me I don't need it, for it's an established fact that those probes, or whatever they are, are arriving and being rebuffed; there's nothing I can do about them (though I devoutly wish there were, and that it involved, if feasible, putting their ultimate originators in jail), and so I just turned off all logging using Guarddog, which allows, as I recall, a couple of levels of logging.

Interesting to see this fine-tuning method. Thanks again.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Packet Filter to redirect a packet to a user level process akawale Linux - Networking 3 09-01-2006 01:06 PM
how do i read the data in the packet that i have captured after packet capture? gajaykrishnan Programming 23 04-19-2006 06:09 AM
IP packet logging function help cranium2004 Linux - Networking 0 05-19-2005 08:20 AM
iptables packet logging netguy2000 Linux - Networking 2 12-24-2004 04:29 AM
Suggestions for packet sniffer w/ packet viewing? TruckStuff Linux - Networking 5 05-31-2002 10:50 AM


All times are GMT -5. The time now is 02:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration