[SOLVED] What is the meaning of TX-OK in output of netstat -i

igadoter · 03-20-2020, 06:43 AM

There are commonly used three notions: packets received, packets sent and packets transmitted

Code:

Every 1.0s: netstat -i                        darkstar: Fri Mar 20 12:27:34 2020

Kernel Interface table
Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0      1500        0      0      0 0             0      0      0      0 BMU
lo       65536      258      0      0 0           258      0      0      0 LRU
wlan0     1500     3445      0      0 0          3673      0      0      0 BMRU

The questions is about difference between send and transmitted TX-OK packets. I compared to this

Code:

Every 1.0s: netstat -t                        darkstar: Fri Mar 20 12:34:42 2020

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp       32      0 192.168.0.100:46734     os-157-249-177-12:https CLOSE_WAIT
tcp       32      0 192.168.0.100:46732     os-157-249-177-12:https CLOSE_WAIT
tcp        0      0 192.168.0.100:40800     edge-mqtt-shv-01-:https ESTABLISHED
tcp    16805      0 192.168.0.100:44692     ice4.somafm.com:http    ESTABLISHED

but as I understand this reports zero send (Send-Q is zero) bytes. Yet value of TX-OK is constantly changing so these are not send packets. Am I right? So what are these transmitted packets TX-OK?

boughtonp · 03-20-2020, 07:11 AM

A trivial search returned this result, which contains this text:

Quote:

The RX and TX columns show how many packets have been received or transmitted error-free (RX-OK/TX-OK) or damaged (RX-ERR/TX-ERR); how many were dropped (RX-DRP/TX-DRP); and how many were lost because of an overrun (RX-OVR/TX-OVR)

igadoter · 03-20-2020, 07:26 AM

I know this. But what is the difference between send (!) and transmitted (!) packets? I understand send as outgoing and received as incoming packets. But what are transmitted? Now value of TX-OK is almost the same as value of RX-OK. Yesterday value of RX-OK was much greater than TX-OK.

boughtonp · 03-20-2020, 08:03 AM

Quote:

Originally Posted by igadoter

I know this. But what is the difference between send (!) and transmitted (!) packets? I understand send as outgoing and received as incoming packets. But what are transmitted? Now value of TX-OK is almost the same as value of RX-OK. Yesterday value of RX-OK was much greater than TX-OK.

There is no difference between sent and transmitted packets.

The Q in "Send-Q" is short for queue - i.e. how many bytes are waiting to be sent at that moment, not how many have been sent.

It is normal for the queue to be zero (no bytes queued at current instant).

igadoter · 03-20-2020, 08:27 AM

So if TX-OK is constantly increasing does it means there are outgoing packets, yes? So how I can find destination? I can't understand where are these outgoing packets come from. Just now I am listening to internet broadcast - I am here on Firefox - I see no sources of outgoing traffic.

boughtonp · 03-20-2020, 08:54 AM

Search: linux log outgoing connections
First result: How can I monitor all outgoing requests/connections from my machine?

Answer 1: netstat -nputwc
Answer 2: iptables LOG
Answer 3: nethogs
Answer 4: tcpdump

igadoter · 03-20-2020, 09:13 AM

What do you think about this

Code:

very 1.0s: netstat -su                                                                          darkstar: Fri Mar 20 15:08:54 2020

IcmpMsg:
    InType3: 128
    OutType3: 128
Udp:
    64910 packets received
    128 packets to unknown port received.
    0 packet receive errors
    65432 packets sent
    0 receive buffer errors
    0 send buffer errors
UdpLite:
IpExt:
    OutMcastPkts: 2
    InBcastPkts: 1
    InOctets: 115040668
    OutOctets: 11793782
    OutMcastOctets: 321
    InBcastOctets: 576
    InNoECTPkts: 160980

something is incoming and outgoing in almost the same size. I mean number of received and sent packets constantly increase in Udp statistic. What is this unkown (?) port number? I switched off broadcast. But still no avail - packets are still being received and transmitted.

igadoter · 03-20-2020, 10:11 AM

Ok I found guilty guy. It is Xfce weather report applet. Once I disabled it things went to normal. Working applet generates flow of NXDomain messages in output of tcpdump, just a sample

Code:

 16:07:41.220629 IP 192.168.0.1.domain > 192.168.0.100.35208: 54132 NXDomain* 0/0/0 (44)
16:07:41.223470 IP 192.168.0.100.58497 > 192.168.0.1.domain: 42698+ PTR? 208.41.9.5.in-addr.arpa. (41)
16:07:41.225828 IP 192.168.0.1.domain > 192.168.0.100.58497: 42698 1/0/0 PTR ws7.geonames.org. (71)
16:07:42.238707 IP 192.168.0.100.34729 > 192.168.0.1.domain: 6300+ PTR? 100.0.168.192.in-addr.arpa. (44)
16:07:47.243793 IP 192.168.0.100.34729 > 192.168.0.1.domain: 6300+ PTR? 100.0.168.192.in-addr.arpa. (44)
16:07:47.348329 IP 192.168.0.1.domain > 192.168.0.100.34729: 6300 NXDomain* 0/0/0 (44)
16:07:47.349669 IP 192.168.0.100.50283 > 192.168.0.1.domain: 58546+ PTR? 208.41.9.5.in-addr.arpa. (41)
16:07:47.352374 IP 192.168.0.1.domain > 192.168.0.100.50283: 58546 1/0/0 PTR ws7.geonames.org. (71)
16:07:48.366365 IP 192.168.0.100.39635 > 192.168.0.1.domain: 47316+ PTR? 100.0.168.192.in-addr.arpa. (44)
16:07:48.371364 IP 192.168.0.1.domain > 192.168.0.100.39635: 47316 NXDomain* 0/0/0 (44)
16:07:48.373876 IP 192.168.0.100.59518 > 192.168.0.1.domain: 3269+ PTR? 208.41.9.5.in-addr.arpa. (41)
16:07:48.376285 IP 192.168.0.1.domain > 192.168.0.100.59518: 3269 1/0/0 PTR ws7.geonames.org. (71)
16:07:49.392111 IP 192.168.0.100.41452 > 192.168.0.1.domain: 28352+ PTR? 100.0.168.192.in-addr.arpa. (44)
16:07:49.395282 IP 192.168.0.1.domain > 192.168.0.100.41452: 28352 NXDomain* 0/0/0 (44)
16:07:49.397947 IP 192.168.0.100.34094 > 192.168.0.1.domain: 52503+ PTR? 208.41.9.5.in-addr.arpa. (41)
16:07:49.406674 IP 192.168.0.1.domain > 192.168.0.100.34094: 52503 1/0/0 PTR ws7.geonames.org. (71)
16:07:50.419992 IP 192.168.0.100.37089 > 192.168.0.1.domain: 25136+ PTR? 100.0.168.192.in-addr.arpa. (44)
16:07:50.422608 IP 192.168.0.1.domain > 192.168.0.100.37089: 25136 NXDomain* 0/0/0 (44)
16:07:50.424945 IP 192.168.0.100.44606 > 192.168.0.1.domain: 14958+ PTR? 208.41.9.5.in-addr.arpa. (41)
16:07:50.427280 IP 192.168.0.1.domain > 192.168.0.100.44606: 14958 1/0/0 PTR ws7.geonames.org. (71)
16:07:51.444223 IP 192.168.0.100.54451 > 192.168.0.1.domain: 2178+ PTR? 100.0.168.192.in-addr.arpa. (44)
16:07:51.448143 IP 192.168.0.1.domain > 192.168.0.100.54451: 2178 NXDomain* 0/0/0 (44)
16:07:51.450522 IP 192.168.0.100.59910 > 192.168.0.1.domain: 47130+ PTR? 208.41.9.5.in-addr.arpa. (41)
16:07:51.457480 IP 192.168.0.1.domain > 192.168.0.100.59910: 47130 1/0/0 PTR ws7.geonames.org. (71)
16:07:52.472084 IP 192.168.0.100.35411 > 192.168.0.1.domain: 60029+ PTR? 100.0.168.192.in-addr.arpa. (44)
16:07:52.474735 IP 192.168.0.1.domain > 192.168.0.100.35411: 60029 NXDomain* 0/0/0 (44)
16:07:52.477698 IP 192.168.0.100.43223 > 192.168.0.1.domain: 45183+ PTR? 208.41.9.5.in-addr.arpa. (41)
16:07:52.490241 IP 192.168.0.1.domain > 192.168.0.100.43223: 45183 1/0/0 PTR ws7.geonames.org. (71)
16:07:53.505885 IP 192.168.0.100.35532 > 192.168.0.1.domain: 62464+ PTR? 100.0.168.192.in-addr.arpa. (44)
16:07:53.511190 IP 192.168.0.1.domain > 192.168.0.100.35532: 62464 NXDomain* 0/0/0 (44)
16:07:53.514068 IP 192.168.0.100.34258 > 192.168.0.1.domain: 59039+ PTR? 208.41.9.5.in-addr.arpa. (41)
16:07:53.516740 IP 192.168.0.1.domain > 192.168.0.100.34258: 59039 1/0/0 PTR ws7.geonames.org. (71)

Applet is responsible for udp incoming and outgoing traffic on unkown port. It may give impression there is working botnet on system.

boughtonp · 03-20-2020, 10:47 AM

That's a bug in the Xfce weather applet.

https://docs.xfce.org/panel-plugins/...reporting_bugs

igadoter · 03-20-2020, 12:13 PM

I'll try it on latest version of Xfce. The one I running is rather old.