Thanks for the explanation, net.inet.udp.log_in_vain was very well put, now I can debug better.
I'll do some more tests and then come back here to the list. Thank you Steven and Gary. []s On 27/10/14 10:21, Gary Palmer wrote: > On Mon, Oct 27, 2014 at 09:31:04AM -0200, Tiago Felipe wrote: >> Maybe, but do not believe it, because when you turn it on, the counter > > > Turn what on, exactly? > > >> "dropped due to the socket" has gradually increased, this machine acts > > > Please provide the exact output from the "netstat -s -s" command that > you are talking about. There is no such statistic > "dropped due to the socket". > > >> as pppoe concentrator, mpd5 and netgraph .. >> I have clients with public IP and nat44. >> >> I'm doing tests yet, but I've read a lot about and looked for similar >> problems, could not come to a conclusion ... > > > If you are referring to "dropped due to no socket" it means that > a UDP packet arrived for a port that had no socket listening on it. > > If you are referring to another statistic please provide the *exact* > statistic > > If you want to see what UDP requests are being dropped due to no > socket then run this as root: > > sysctl net.inet.udp.log_in_vain=1 > > it may produce a LOT of logs, so to turn it off again to: > > sysctl net.inet.udp.log_in_vain=0 > > The log_in_vain output should go to the console and anywhere in syslog > you have configured to receive kern.info syslog events. > > If you have an idle system where the counter is not incrementing > and it is passing no traffic (a VM with no network would be ideal) > you can test the behaviour of the "dropped due to no socket" statistic > yourself. > > Run: > > netstat -s -s | grep 'dropped due to no socket' > traceroute localhost > netstat -s -s | grep 'dropped due to no socket' > > The 'dropped due to no socket' count should go up by 3, for the 3 > traceroute packets that tried to connect to a port that had no listening > socket. You can use the net.inet.udp.log_in_vain sysctl to see the 3 > traceroute packets during the test if you are interested. > > If you aren't running any firewalls, then as Steve mentioned the most > likely reason is people scanning your box looking for vulnerabilities. > e.g. I see people try to hit the SIP port (UDP 5060) every day on IPs > that don't run any SIP services. It's also possible that some > customer equipment is hitting ports on your PPPOE termination boxes > as the box is the "other end" of the PPPOE session and the customer > equipment is trying to use that "other end" for services, e.g. DNS, NTP > or similar, even if your PPP session points them elsewhere for those > services > > Regards, > > Gary > >> >> >> Thank you >> >> On 27/10/14 09:21, Steven Hartland wrote: >>> I assume you mean "dropped due to *no *socket" which means your seeing >>> requests to a port which isn't open, possibly due to being port scanned? >>> >>> On 27/10/2014 11:00, Tiago Felipe wrote: >>>> Good afternoon! >>>> >>>> I have seen "dropped due to the socket" on multiple servers with >>>> Freebsd, this case is a Release 10. >>>> # Netstat -s -s >>>> ... >>>> 4614884 dropped due to the socket >>>> ... >>>> >>>> In this case the current flow is 700mbits download and 80mbits upload, >>>> averaging 130kpps. >>>> >>>> I've done many changes in sysctl.conf and loader.conf, swapped hardware >>>> and have not had many improvements. >>>> >>>> Can anyone tell me the reason? I'm looking for it to weeks, but still no >>>> result. >>>> >>>> >>>> Thank you so much. >>>> >>>> >>> >>> _______________________________________________ >>> freebsd-net@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" >> >> -- >> []s >> > > -- []s
signature.asc
Description: OpenPGP digital signature
