LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-31-2005, 02:14 AM   #1
lantern
Member
 
Registered: Sep 2003
Distribution: Debian, Slackware
Posts: 39

Rep: Reputation: 15
Flooded with keepalives


Hi,

Lately my Debian machine (Thinkpad T22) is getting barraged with TCP Keep-Alive packets from my LInksys router, at a constant rate of around 15 packets/sec. Each packet is 60 bytes. I'm having trouble figuring out whether the culprit is my Linux machine or router. I have a few other pc's running XP on my network and they're problem free. I tried upgrading the router's firmware but that didn't help.

Can anybody suggest how to determine where the problem is?

Here's a sample packet I sniffed with ethereal. Every packet looks like this one (except for time, seq num, etc.):

----------------------------
Frame 30 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:0f:66:23:49:7b, Dst: ff:ff:ff:ff:ff:ff
Internet Protocol, Src Addr: 192.168.1.1 (192.168.1.1), Dst Addr: 0.0.0.0 (0.0.0.0)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 41
Identification: 0x10dd (4317)
Flags: 0x00
Fragment offset: 0
Time to live: 150
Protocol: TCP (0x06)
Header checksum: 0x5249 (correct)
Source: 192.168.1.1 (192.168.1.1)
Destination: 0.0.0.0 (0.0.0.0)
Transmission Control Protocol, Src Port: 1046 (1046), Dst Port: 0 (0), Seq: 0, Ack: 0, Len: 1
Source port: 1046 (1046)
Destination port: 0 (0)
Sequence number: 0 (relative sequence number)
Next sequence number: 1 (relative sequence number)
Acknowledgement number: 0 (relative ack number)
Header length: 20 bytes
Flags: 0x0010 (ACK)
Window size: 0
Checksum: 0x61da (incorrect, should be 0x9c14)
SEQ/ACK analysis
Data (1 byte)

0000 4e N

No. Time Source Destination Protocol Info
31 0.433917 192.168.1.1 0.0.0.0 TCP [TCP ZeroWindow] [TCP Keep-Alive] 1047 > 0 [ACK] Seq=0 Ack=0 Win=0 [CHECKSUM INCORRECT] Len=1
--------------------------

Thanks in advance,
lantern
 
Old 03-31-2005, 04:49 AM   #2
tredegar
LQ 5k Club
 
Registered: May 2003
Location: London, UK
Distribution: Debian "Jessie"
Posts: 6,036

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Well, I am no expert at networks, but it looks to me as though the second and third lines tell you what you need to know:

Quote:
Ethernet II, Src: 00:0f:66:23:49:7b, Dst: ff:ff:ff:ff:ff:ff
Internet Protocol, Src Addr: 192.168.1.1
Whatever has the IP of 192.168.1.1, or has the hardware address of 00:0f:66:23:49:7b is what is sending these packets.
 
Old 03-31-2005, 09:27 AM   #3
lantern
Member
 
Registered: Sep 2003
Distribution: Debian, Slackware
Posts: 39

Original Poster
Rep: Reputation: 15
Right ... that mac and ip belong to my Linksys router. I know that's where the packets are coming from, but I'm trying to figure out why. I would just conclude that the router is malfunctioning, but it's odd that only my Linux box is getting flooded and not the other pc's on my local network.

Could there be something in my Linux machine's network configuration (or otherwise) which is soliciting this flood of packets?

Thanks.

Last edited by lantern; 03-31-2005 at 09:54 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
GRE keepalives. How can a SUSE 9.0 Linux box send GRE keepalives? dlef Linux - Networking 1 06-28-2005 01:00 PM
Flooded by ARP packets pymehta Linux - Networking 4 04-15-2005 08:46 AM
configure terminal to send keepalives for ssh naijaguy Linux - Newbie 3 03-22-2005 05:40 PM
Help! (I'm getting flooded with http requests) rknoesel Mandriva 6 11-14-2004 06:57 PM
snort logs get flooded iceman47 Linux - Security 2 06-04-2003 05:36 PM


All times are GMT -5. The time now is 09:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration