can anyone help diagnose this trace ??
This is a discussion on can anyone help diagnose this trace ?? within the Linux Networking forums, part of the Linux Forums category; What does this trace mean? Where is it coming from? Is it abnormal? I have substituted aaa-bbb for the ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-19-2003
|
|||
|
|||
can anyone help diagnose this trace ??
What does this trace mean?
Where is it coming from? Is it abnormal? I have substituted aaa-bbb for the last portion of the ip address I have substituted "xxx" for the ip server domain (mayby dumb because 12-203 is unique to it) 22:00:04.642207 12-203-aaa-bbb.client."xxx".com.1237 > ns1."xxx".com.domain: 2517+ PTR? 170.7.203.12.in-addr.arpa. (43) (DF) 22:00:04.679506 ns1."xxx".com.domain > 12-203-26-242.client."xxx".com.1237: 2517* 1/4/4 (258) (DF) The trace repeats about once every 6 seconds. Dan 
|
|
10-19-2003
|
|||
|
|||
|
Re: can anyone help diagnose this trace ??
dan <dansawyer@earthlink.net> wrote:
> What does this trace mean? > Where is it coming from? > Is it abnormal? > I have substituted aaa-bbb for the last portion of the ip > address > I have substituted "xxx" for the ip server domain > (mayby dumb because 12-203 is unique to it) > 22:00:04.642207 12-203-aaa-bbb.client."xxx".com.1237 > > ns1."xxx".com.domain: 2517+ PTR? 170.7.203.12.in-addr.arpa. > (43) (DF) > 22:00:04.679506 ns1."xxx".com.domain > > 12-203-26-242.client."xxx".com.1237: 2517* 1/4/4 (258) (DF) Really dump as your or another IP from your LAN is still readable for anyone and it perhaps tries to reverse lookups itself asking your nameserver, if aaa=170 and bbb=7. Perhaps some daemon trying to startup, hard to tell with that bi data. -- Michael Heiming Remove +SIGNS and www. if you expect an answer, sorry for inconvenience, but I get tons of SPAM
|
|
10-19-2003
|
|||
|
|||
|
Re: can anyone help diagnose this trace ??
Michael Heiming <michael+USENET@www.heiming.de> wrote:
> dan <dansawyer@earthlink.net> wrote: > > What does this trace mean? > > Where is it coming from? > > Is it abnormal? > > I have substituted aaa-bbb for the last portion of the ip > > address > > I have substituted "xxx" for the ip server domain > > (mayby dumb because 12-203 is unique to it) > > 22:00:04.642207 12-203-aaa-bbb.client."xxx".com.1237 > > > ns1."xxx".com.domain: 2517+ PTR? 170.7.203.12.in-addr.arpa. > > (43) (DF) > > 22:00:04.679506 ns1."xxx".com.domain > > > 12-203-26-242.client."xxx".com.1237: 2517* 1/4/4 (258) (DF) > Really dump as your or another IP from your LAN is still > readable for anyone and it perhaps tries to reverse lookups > itself asking your nameserver, if aaa=170 and bbb=7. > Perhaps some daemon trying to startup, hard to tell with > that bi data. Ops, should be aaa=7, bbb=170 of course, that's what you get from it. -- Michael Heiming Remove +SIGNS and www. if you expect an answer, sorry for inconvenience, but I get tons of SPAM
|
|
10-21-2003
|
|||
|
|||
|
Re: can anyone help diagnose this trace ??
On Sun, 19 Oct 2003 13:20:56 -0700, dan <dansawyer@earthlink.net> wrote:
> What does this trace mean? > > Where is it coming from? > > Is it abnormal? It looks like your box is making a request from your port 1237 to your ISP's nameserver on port 53 (domain). The nameserver answers from its port 53 to your port 1237. That part is perfectly normal, but no clue why every 6 seconds. Could be anything attempting to resolve a name or IP (Win or internet file sharing, IM, worm, etc.). > I have substituted aaa-bbb for the last portion of the ip > address > > I have substituted "xxx" for the ip server domain > (mayby dumb because 12-203 is unique to it) > > 22:00:04.642207 12-203-aaa-bbb.client."xxx".com.1237 > > ns1."xxx".com.domain: 2517+ PTR? 170.7.203.12.in-addr.arpa. > (43) (DF) > 22:00:04.679506 ns1."xxx".com.domain > > 12-203-26-242.client."xxx".com.1237: 2517* 1/4/4 (258) (DF) > > The trace repeats about once every 6 seconds. > > Dan > -- David Efflandt - All spam ignored http://www.de-srv.com/ http://www.autox.chicago.il.us/ http://www.berniesfloral.net/ http://cgi-help.virtualave.net/ http://hammer.prohosting.com/~cgi-wiz/
|
|
10-21-2003
|
|||
|
|||
|
Re: can anyone help diagnose this trace ??
Thanks,
I have additional information, the trace was output from: tcpdump -i eth1 After more digging I came accross the use of '-n'. Traces of: tcpdump -i eth1 -n removed the dns requests. I have no idea where the ip addresses in the dns were coming from. They did not show up on the other trace. Are there any additional thoughts on that one. Dan David Efflandt wrote: > On Sun, 19 Oct 2003 13:20:56 -0700, dan <dansawyer@earthlink.net> wrote: > >>What does this trace mean? >> >>Where is it coming from? >> >>Is it abnormal? > > > It looks like your box is making a request from your port 1237 to your > ISP's nameserver on port 53 (domain). The nameserver answers from its > port 53 to your port 1237. That part is perfectly normal, but no clue why > every 6 seconds. Could be anything attempting to resolve a name or IP > (Win or internet file sharing, IM, worm, etc.). > > >>I have substituted aaa-bbb for the last portion of the ip >>address >> >>I have substituted "xxx" for the ip server domain >>(mayby dumb because 12-203 is unique to it) >> >>22:00:04.642207 12-203-aaa-bbb.client."xxx".com.1237 > >>ns1."xxx".com.domain: 2517+ PTR? 170.7.203.12.in-addr.arpa. >>(43) (DF) >>22:00:04.679506 ns1."xxx".com.domain > >>12-203-26-242.client."xxx".com.1237: 2517* 1/4/4 (258) (DF) >> >>The trace repeats about once every 6 seconds. >> >>Dan >> > > >
|
Linear Mode
