DAve wrote:
I am routinely seeing these entries in one of my servers logs.Limiting closed port RST response from 373 to 200 packets/sec The server sits behind a PIX firewall, so I am suspicious of what is trying to connect to a closed port. I don't see in any other logs what port is being hit, or what IP is causing these log entries. Any way to tell what the source IP of these is? Thanks, DAve
Easiest way, probably without any "observer effect," would be to mirror the switch port your server is plugged into and use a computer running wireshark, or equivalent, to look at the mirrored traffic.
Unless, of course, your switch doesn't support port mirroring, you don't have a spare computer running wireshark, etc., etc. It's obviously hard to tell what resources you have available to you.
You can also install wireshark from ports on your server, but depending on disk space, how "pristine" you want your server to remain, and internal security rules (wireshark, particularly some of the protocol decoders, is not without its own issues), there are some downsides to this.
Also remember that source IPs can be forged, so look at the MAC address information as well if things appear to be really odd.
-- --Jon Radel j...@radel.com
smime.p7s
Description: S/MIME Cryptographic Signature
