LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 01-26-2010, 02:40 PM   #1
housemusic42
Member
 
Registered: Dec 2003
Location: St. Louis
Distribution: redhat 9
Posts: 31

Rep: Reputation: 15
strange networking issue involving xen interface


greetings!


I'm having a problem locating some network traffic. I had noticed in my firewall that I was seeing unusual pings come from a specific box. I went to the box and did a tcpdump

Code:
13:29:19.860135 IP 192.168.1.55 > 192.168.126.1: ICMP host 192.168.1.55 unreachable - admin prohibited, length 84
13:29:19.860177 IP 192.168.1.55 > 192.168.245.1: ICMP host 192.168.1.55 unreachable - admin prohibited, length 84
13:29:20.770680 IP 192.168.1.55 > 192.168.64.1: ICMP host 192.168.1.55 unreachable - admin prohibited, length 84
13:29:20.770842 IP 192.168.1.55 > 192.168.170.1: ICMP host 192.168.1.55 unreachable - admin prohibited, length 84
13:29:22.264817 IP 192.168.1.55 > 192.168.47.1: ICMP host 192.168.1.55 unreachable - admin prohibited, length 84
13:29:22.264860 IP 192.168.1.55 > 192.168.80.1: ICMP host 192.168.1.55 unreachable - admin prohibited, length 84
13:29:25.709368 IP 192.168.1.55 > 192.168.120.1: ICMP host 192.168.1.55 unreachable - admin prohibited, length 84
13:29:25.709424 IP 192.168.1.55 > 192.168.98.1: ICMP host 192.168.1.55 unreachable - admin prohibited, length 84
13:29:27.347506 IP 192.168.1.55 > 192.168.26.1: ICMP host 192.168.1.55 unreachable - admin prohibited, length 84
13:29:27.347546 IP 192.168.1.55 > 192.168.164.1: ICMP host 192.168.1.55 unreachable - admin prohibited, length 84
well that's strange. i don't have any of those networks on my lan. i ran rkhunter and nothing showed up. obviously the traffic stops when i down the interface but ps and netstat show nothing. i've stopped pretty much every network service and the traffic only stops when i down if

here's a host uname

Code:
Linux box 2.6.18-128.2.1.el5 #1 SMP Tue Jul 14 06:39:56 EDT 2009 i686 i686 i386 GNU/Linux
the box sits on a xen server and i've verified the traffic is coming over the bridge and not the real interface on the xen host.

where is this ping traffic coming from and how can i stop it? any ideas would be greatly appreciated.


for grins and giggles:

Code:
ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:3E:75:E5:5D
          inet addr:192.168.1.55  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe75:e55d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:725395 errors:0 dropped:0 overruns:0 frame:0
          TX packets:473562 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:68150922 (64.9 MiB)  TX bytes:53685072 (51.1 MiB)
          Interrupt:5 Base address:0x4000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2015 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2015 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:422368 (412.4 KiB)  TX bytes:422368 (412.4 KiB)



Code:
 netstat -anp | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 127.0.0.1:199               0.0.0.0:*                   LISTEN      19345/snmpd
tcp        0      0 0.0.0.0:651                 0.0.0.0:*                   LISTEN      19125/rpc.statd
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      19096/portmap
tcp        0      0 :::22                       :::*                        LISTEN      19364/sshd
tcp        0     52 ::ffff:192.168.1.55:22      ::ffff:192.168.11.140:2243  ESTABLISHED 23689/0
udp        0      0 0.0.0.0:645                 0.0.0.0:*                               19125/rpc.statd
udp        0      0 0.0.0.0:648                 0.0.0.0:*                               19125/rpc.statd
udp        0      0 0.0.0.0:161                 0.0.0.0:*                               19345/snmpd
udp        0      0 0.0.0.0:47204               0.0.0.0:*                               19480/avahi-daemon:
udp        0      0 0.0.0.0:5353                0.0.0.0:*                               19480/avahi-daemon:
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               19096/portmap
udp        0      0 192.168.1.55:123            0.0.0.0:*                               19382/ntpd
udp        0      0 127.0.0.1:123               0.0.0.0:*                               19382/ntpd
udp        0      0 0.0.0.0:123                 0.0.0.0:*                               19382/ntpd
udp        0      0 :::60583                    :::*                                    19480/avahi-daemon:
udp        0      0 :::5353                     :::*                                    19480/avahi-daemon:
udp        0      0 fe80::216:3eff:fe75:123     :::*                                    19382/ntpd
udp        0      0 ::1:123                     :::*                                    19382/ntpd
udp        0      0 :::123                      :::*                                    19382/ntpd
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING     348924 19000/audispd       /var/run/audispd_events
unix  2      [ ACC ]     STREAM     LISTENING     349150 19074/mcstransd     /var/run/setrans/.setrans-unix
unix  2      [ ACC ]     STREAM     LISTENING     349440 19188/dbus-daemon   /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     349558 19237/pcscd         /var/run/pcscd.comm
unix  2      [ ACC ]     STREAM     LISTENING     350385 19480/avahi-daemon: /var/run/avahi-daemon/socket
unix  2      [ ACC ]     STREAM     LISTENING     350431 19496/hald          @/var/run/hald/dbus-Ri3GsaIW4T
unix  2      [ ACC ]     STREAM     LISTENING     350039 19397/gpm           /dev/gpmctl
unix  15     [ ]         DGRAM                    349016 19037/syslogd       /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     350430 19496/hald          @/var/run/hald/dbus-CjlBVM6jx2
unix  2      [ ]         DGRAM                    1395   358/udevd           @/org/kernel/udev/udevd
unix  2      [ ]         DGRAM                    350439 19496/hald          @/org/freedesktop/hal/udev_event
unix  2      [ ACC ]     STREAM     LISTENING     350249 19435/xfs           /tmp/.font-unix/fs7100
unix  2      [ ]         DGRAM                    470431 23689/0
unix  3      [ ]         STREAM     CONNECTED     351190 19188/dbus-daemon   /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     351189 19496/hald
unix  3      [ ]         STREAM     CONNECTED     350991 19496/hald          @/var/run/hald/dbus-CjlBVM6jx2
unix  3      [ ]         STREAM     CONNECTED     350989 19507/event0
unix  3      [ ]         STREAM     CONNECTED     350434 19496/hald          @/var/run/hald/dbus-Ri3GsaIW4T
unix  3      [ ]         STREAM     CONNECTED     350433 19497/hald-runner
unix  3      [ ]         STREAM     CONNECTED     350388 19188/dbus-daemon   /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     350387 19480/avahi-daemon:
unix  3      [ ]         STREAM     CONNECTED     350382 19481/avahi-daemon:
unix  3      [ ]         STREAM     CONNECTED     350381 19480/avahi-daemon:
unix  2      [ ]         DGRAM                    350379 19480/avahi-daemon:
unix  2      [ ]         DGRAM                    350051 19412/crond
unix  2      [ ]         DGRAM                    350007 19397/gpm
unix  2      [ ]         DGRAM                    349960 19382/ntpd
unix  2      [ ]         DGRAM                    349870 19345/snmpd
unix  2      [ ]         DGRAM                    349707 19292/automount
unix  2      [ ]         DGRAM                    349656 19270/hidd
unix  2      [ ]         DGRAM                    349589 19253/apmd
unix  2      [ ]         DGRAM                    349557 19237/pcscd
unix  3      [ ]         STREAM     CONNECTED     349456 19188/dbus-daemon
unix  3      [ ]         STREAM     CONNECTED     349455 19188/dbus-daemon
unix  3      [ ]         STREAM     CONNECTED     349378 19161/rpc.idmapd

Code:
ps auxwww
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.2   2064   644 ?        Ss   Jan22   0:00 init [3]
root         2  0.0  0.0      0     0 ?        S<   Jan22   0:00 [migration/0]
root         3  0.0  0.0      0     0 ?        SN   Jan22   0:00 [ksoftirqd/0]
root         4  0.0  0.0      0     0 ?        S<   Jan22   0:00 [watchdog/0]
root         5  0.0  0.0      0     0 ?        S<   Jan22   0:00 [events/0]
root         6  0.0  0.0      0     0 ?        S<   Jan22   0:00 [khelper]
root         7  0.0  0.0      0     0 ?        S<   Jan22   0:00 [kthread]
root        10  0.0  0.0      0     0 ?        S<   Jan22   0:00 [kblockd/0]
root        11  0.0  0.0      0     0 ?        S<   Jan22   0:00 [cqueue/0]
root        14  0.0  0.0      0     0 ?        S<   Jan22   0:00 [khubd]
root        16  0.0  0.0      0     0 ?        S<   Jan22   0:00 [kseriod]
root        43  0.0  0.0      0     0 ?        S    Jan22   0:00 [kapmd]
root        87  0.0  0.0      0     0 ?        S    Jan22   0:00 [pdflush]
root        88  0.0  0.0      0     0 ?        S    Jan22   0:00 [pdflush]
root        89  0.0  0.0      0     0 ?        S<   Jan22   0:00 [kswapd0]
root        90  0.0  0.0      0     0 ?        S<   Jan22   0:00 [aio/0]
root       244  0.0  0.0      0     0 ?        S<   Jan22   0:00 [kpsmoused]
root       266  0.0  0.0      0     0 ?        S<   Jan22   0:00 [ata/0]
root       267  0.0  0.0      0     0 ?        S<   Jan22   0:00 [ata_aux]
root       272  0.0  0.0      0     0 ?        S<   Jan22   0:00 [kstriped]
root       281  0.0  0.0      0     0 ?        S<   Jan22   0:00 [ksnapd]
root       292  0.0  0.0      0     0 ?        S<   Jan22   0:01 [kjournald]
root       324  0.0  0.0      0     0 ?        S<   Jan22   0:00 [kauditd]
root       358  0.0  0.5   2808  1364 ?        S<s  Jan22   0:00 /sbin/udevd -d
root       573  0.0  0.0      0     0 ?        S<   Jan22   0:00 [xenwatch]
root       574  0.0  0.0      0     0 ?        S<   Jan22   0:00 [xenbus]
root       913  0.0  0.0      0     0 ?        S<   Jan22   0:00 [kmpathd/0]
root       914  0.0  0.0      0     0 ?        S<   Jan22   0:00 [kmpath_handlerd]
root       938  0.0  0.0      0     0 ?        S<   Jan22   0:05 [kjournald]
root       946  0.0  0.0      0     0 ?        S<   Jan22   0:00 [kjournald]
root      1615  0.0  0.0      0     0 ?        S<   Jan22   0:00 [rpciod/0]
root     16856  0.0  0.0      0     0 ?        S<   Jan25   0:00 [krfcommd]
root     18998  0.0  0.3  12516   784 ?        S<sl Jan25   0:00 auditd
root     19000  0.0  0.2  12068   684 ?        S<sl Jan25   0:00 /sbin/audispd
root     19022  0.0  3.8  11572  9876 ?        Ss   Jan25   0:00 /usr/sbin/restorecond
root     19037  0.0  0.2   1720   628 ?        Ss   Jan25   0:00 syslogd -m 0
root     19040  0.0  0.1   1672   396 ?        Ss   Jan25   0:00 klogd -x
root     19074  0.0  0.1   2160   500 ?        Ss   Jan25   0:00 mcstransd
rpc      19096  0.0  0.2   1808   556 ?        Ss   Jan25   0:00 portmap
rpcuser  19125  0.0  0.2   1852   740 ?        Ss   Jan25   0:00 rpc.statd
root     19161  0.0  0.2   5508   592 ?        Ss   Jan25   0:00 rpc.idmapd
dbus     19188  0.0  0.3  12984  1016 ?        Ssl  Jan25   0:00 dbus-daemon --system
root     19237  0.0  0.4  12724  1256 ?        Ssl  Jan25   0:00 pcscd
root     19253  0.0  0.1   1660   368 ?        Ss   Jan25   0:00 /usr/sbin/apmd -p 10 -w 5 -W -P /etc/sysconfig/apm-scripts/apmscript
root     19270  0.0  0.1   1908   452 ?        Ss   Jan25   0:00 /usr/bin/hidd --server
root     19292  0.0  0.5  10816  1316 ?        Ssl  Jan25   0:00 automount
root     19345  0.0  2.6  27424  6704 ?        Sl   Jan25   0:03 /usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/snmpd.pid -a
root     19364  0.0  0.4   7016  1040 ?        Ss   Jan25   0:00 /usr/sbin/sshd
ntp      19382  0.0  1.7   4388  4388 ?        SLs  Jan25   0:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
root     19397  0.0  0.1   1900   364 ?        Ss   Jan25   0:00 gpm -m /dev/input/mice -t exps2
root     19412  0.0  0.4   5284  1196 ?        Ss   Jan25   0:00 crond
xfs      19435  0.0  0.3   3160   980 ?        Ss   Jan25   0:00 xfs -droppriv -daemon
root     19464  0.0  0.1   2264   444 ?        Ss   Jan25   0:00 /usr/sbin/atd
avahi    19480  0.0  0.5   2588  1348 ?        Ss   Jan25   0:00 avahi-daemon: running [kronos.local]
avahi    19481  0.0  0.1   2588   324 ?        Ss   Jan25   0:00 avahi-daemon: chroot helper
68       19496  0.0  1.4   5600  3604 ?        Ss   Jan25   0:00 hald
root     19497  0.0  0.3   3152   988 ?        S    Jan25   0:00 hald-runner
68       19507  0.0  0.3   2012   808 ?        S    Jan25   0:00 hald-addon-keyboard: listening on /dev/input/event0
root     19548  0.0  0.1   3508   428 ?        S    Jan25   0:00 /usr/sbin/smartd -q never
root     19551  0.0  0.1   1656   428 tty1     Ss+  Jan25   0:00 /sbin/mingetty tty1
root     19552  0.0  0.1   1656   436 tty2     Ss+  Jan25   0:00 /sbin/mingetty tty2
root     19553  0.0  0.1   1656   432 tty3     Ss+  Jan25   0:00 /sbin/mingetty tty3
root     19554  0.0  0.1   1656   432 tty4     Ss+  Jan25   0:00 /sbin/mingetty tty4
root     19555  0.0  0.1   1656   456 tty5     Ss+  Jan25   0:00 /sbin/mingetty tty5
root     19556  0.0  0.1   1656   432 tty6     Ss+  Jan25   0:00 /sbin/mingetty tty6
root     23689  0.0  1.1   9868  2848 ?        Ss   13:28   0:00 sshd: root@pts/0
root     23691  0.0  0.5   4532  1452 pts/0    Ss   13:29   0:00 -bash
root     23724  0.0  0.3   4252   940 pts/0    R+   13:31   0:00 ps auxwww

Last edited by housemusic42; 01-26-2010 at 02:42 PM. Reason: adding ifconfig
 
Old 01-27-2010, 05:30 PM   #2
housemusic42
Member
 
Registered: Dec 2003
Location: St. Louis
Distribution: redhat 9
Posts: 31

Original Poster
Rep: Reputation: 15
ah ha!

these are workstations within my network with VMplayer loaded on them with VMware Network Adapters.

this broadcast traffic was being sent out all of the adapters (real and virtual), and the server was trying to respond, but it was going to the gateway on our network and was being dropped. as soon as i disabled the virtual adapters in Network Connections, the dropped traffic stopped.

the other thing that occurs is that with Windows clients, is NTP is configured via DHCP so when the adapters try and query NTP (which this host is) it times out.


well that was fun. :-)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
(CentOS 5.3 server) httpd.conf configuration issue involving DirectoryIndex xshad0wfx Linux - Server 4 06-19-2009 11:32 PM
Strange networking issue on my linux workstation tate_harmann Linux - Networking 3 03-27-2008 03:02 PM
strange ethernet issue - route -n doesn't correspond to actual interface availability echowarpt Slackware 1 01-28-2007 10:24 AM
Odd issue involving top.... Basslord1124 Slackware 5 01-09-2007 04:56 PM
Strange Networking Issue EclipseAgent Suse/Novell 2 04-28-2006 09:51 PM


All times are GMT -5. The time now is 05:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration