> On Tue, 8 Aug 2000, Wayne Dyer wrote:
>
> > my_machine.org for my machine's name. The traffic is NOT coming from my
> > internal network. Where can I find a listing of the flags FP and R?
> > Any ideas as to what's happening here?
> >
> > 08:21:38.088650 < 10.1.12.50.https > my_machine.org.3520: FP 1196603461:119
> > 6603484(23) ack 3231268890 win 18980 (DF)
> > 08:21:38.088774 > my_machine.org.3520 > 10.1.12.50.https: R 3231268890:3231
> > 268890(0) win 0
>
> Well, it looks an awful lot like you've got Netscape open, loading a page
> over https : )
>
> What does eth1 connect to?
from the looks of the ip address (10.1.12.50), it appears to be some
host within the internal lan, probably running a secure webserv
application....(how far off am I on this one, Wayne ?)
testing platform maybe ?
>
> If you want to know what has a connection open, you may need to do one of
> two things:
>
> 1) If the connection looks like it's coming from your machine, and this
> one does, try:
> netstat -avnp | grep 3520
> You may get more than one line, but look for a line that indicates that a
> local interface has port 3520 open, like:
> tcp 1 0 192.168.0.2:3520 10.1.12.50:443
> CLOSE_WAIT 31639/netscape-comm
but next time it *Probably* wont be on that port, how about grepping for
443 instead (thats a pretty good number to use since it will never be
part of any
IP address)
> That line should include the name of the application, but will at least
> give you the PID.
>
> 2) If it looks like a Masqueraded connection, in which case the local port
> will be above 60000, then use:
> ipchains -M -L
> That will print out all of the open masquerading connections. You can use
> that to figure out what machine has the connection open, but will have to
> go there to figure out what program opened the connection.
>
> MSG
Can you refer me to a document that details why masquerded connections
are above port 60000? I have't heard of this before, nor have I noticed
this behaviour.. curious to see why they limit themselves to only a few
thousand ports for masqueraded connections.
(when there could possibly be *thousands* from on the local lan)
Sincerely
Robert Soros
[EMAIL PROTECTED]
http://soros.ath.cx
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
