Re: [techtalk] Arpwatch
Excerpts from linuxchix: 13-Nov-99 Re: [techtalk] Arpwatch by "Norma Ford"@ci.casa-gra > At one point I had accidently ran arpwatch on one of our linux rh6 boxes and I > was able to see ipaddress with the host name > I'm not sure how I even got to this point. > Well know I have another linux box that does dns host name resolution internal > to our network and I want to make sure I have no duplicates or ip addresses w > ithout a host name. We don't have dhcp enabled so I have to keep track of each > address for auditing purposes:-( > Hope this explained it a little better. Ok, I think I know what you're talking about. You probably don't want to use arpwatch. Arpwatch is for watching arp[1]. To check what ipaddr goes with what hostname or vice versa, use the host, dig, or nslookup commands. Suppose you have a list of ip addresses, you could look up the hostname for each, then look for duplicates or blank entries. If you've got a lot of ips you need to do this for, you can write a script. btw, is there an reason you can't just make sure the config on your nameserver is correct? [1] arp is address resolution protocol. On an ethernet network, arp translates an ip address to an ethernet hardware address. It will be the hwaddr of the target machine, or if it's not on the network, the appropriate router or gateway. Basically, arp broadcasts an arp request to the ethernet network, asking for an ipaddr->hwaddr translation, then caches it for further use. Since it broadcasts, any computer on the network can watch everyone else's. arpwatch-ing is somewhat useful because by looking at what ip addresses someone wants translated, you can see what computers they're connecting to, and therefore what web/ftp sites they're visiting, where they have accounts, etc. Sort of like packet sniffing, but it has the disadvantage of not giving you as much information, and the advantge of working on switched ethernet. [EMAIL PROTECTED] http://www.linuxchix.org
RE:[techtalk] StarOffice and Gnome installation issues
On 11/13/99, 12:37:15 PM, Nils Philippsen erroneously:
> StarOffice is a real memory hog
Unfortunately this is true. :-(
We managed it to spend less memory that StarOffice 5.0 but
it still needs quite a lot.
> a quick test gave this:
The filowing (fortunately!) is *not* correct:
> It eats additional 2MB in the X-Server and forks off
> 6 copies of itself, giving 7 instances running.
^
;-)
> If Linux didn't do such a good job in memory
> management (copy-on-write and stuff), it would consume
> between 100 and 120 MB of RAM (and that's with shared
> memory taken into account).
> Background: I got my numbers from top(1).
:-DD
I am happy to be able to tell you that 'facts' being told
to us above are not right.
Of course StarOffice doesn't use that amount of memory!
At the very moment now while writing this mail i had a
short look at 'ps -m' ('top' resp.) and laughed when seeing
the number of 9 (nine!) entries of 'soffice.bin'. By opening
some other tasks within StarOffice i could easily have that
number increased even more - with each of them pretending to
consume 35 MB.
The simple reason for the common misunderstanding of that
phenomenon and for lots of trouble is that some people start
writing their ideas and theories down without having ensured
that they are true!
StarOffice doesn't consume that Mem for each 'instances' because
there AREN'T ANY MULTIPLE INSTANCES - even if it looks like that.
Instead of this StarOffice runs multiple THREADS (not instances)
to improve performance and all of these threads of course use
THE SAME MEMORY.
The stupid fact that 'ps -m' or 'top' don't show this clearly
caused *some* people to call us by phone and complain about that
Mem Vaste they seemed to have found there.
Work is not always easy for my colleagues of the Support... ;-)
Best greetings,
Karl-Heinz
--
K.-H. Zimmer * Hamburg * Germany
[EMAIL PROTECTED] http://www.linuxchix.org
Re: [techtalk] resolution
The only thing that I notice is it looks a bit 'watery' when i scroll through a page quicklybut at least i can fit a decent number of windows on my desktop now. YAY! Do you have a Trinitron monitor? I have noticed that the Trinitron technology tends to appear wavery when you scroll fast at hi-res. One way to tell is to tap (lightly) on the side or top of your monitor...if you see waves or ripples in the image, then you are probably on a Trinitron. __ Get Your Private, Free Email at http://www.hotmail.com [EMAIL PROTECTED] http://www.linuxchix.org
Re: [techtalk] resolution
yup, that's exactly what i am using. so this is definitely a hardware something, versus me needing to get a better vid card, eh? good to know, so that i wouldn't make that expenditure unecessarily!! thanks JB :) kristin > > Do you have a Trinitron monitor? I have noticed that the Trinitron > technology tends to appear wavery when you scroll fast at hi-res. One way > to tell is to tap (lightly) on the side or top of your monitor...if you see > waves or ripples in the image, then you are probably on a Trinitron. > [EMAIL PROTECTED] http://www.linuxchix.org
[techtalk] PDFs
Stephan - Just to follow up on Walt and Nils, I found out that if you want to 'bundle' a lot of different encapsulated postscript files into one PDF file, you can actually concatenate them together into one 'super eps' file, and then run ps2pdf on that file. Voila, instant completed document :) I happened across this quite by accident, as I wanted to see if I could bundle postscript files I generated from a bunch of different programs into a single file, mostly to make it easier to print. I put the results up at http://www.openface.ca/~pete and I'm quite pleased with the results. Hope this helps, Pete -- Pete St. Onge [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.linuxchix.org
[techtalk] bind problem...and a sendmail one, too
I don't know what bind's problem is, but here's what I have on it: Every one minute, cron runs a job in /tmp (/tmp/ns, the cron listing for this job is also in /tmp). Every one minute after cron is unsuccessful, it sends an e-mail to root saying: bind: Address already in use /tmp/ns is a binary executable, so I have no idea. I have HUP-ed bind (named) to restart it, but that didn't fix the problem. I tried to get some debug info by sending a USR1, it worked the first time but after I tried to increase the debug level, it stopped writing to the named.run file (in /var/named/). I had it dump it's stats, memstats, and database, but I can't seem to decipher WHAT address "is already in use". I have never changed my named.conf or my named.local (they say they were written some day in June, which corresponds to when we moved to RH6.0 from 5.2). It has been having problems since November 2nd. I upgraded eggdrop on October 30th, but I cannot think of any other software I installed/upgraded around that time. I have no other cron-constant jobs, just this one... it's obviously bind (as named) and the "ns" file is probably cryptic for nameserver. I didn't even KNOW cron looked around to find other cron jobs... I thought they all had to be in the crontab (redirecting to cron-constant, cron-hourly, etc). I wish to fix this problem, I don't want to have to delete 12,000 emails from root's mailbox again ;o) sendmail's story: I need to HUP sendmail (linuxconf decided it'd be fun to write a new sendmail.conf thus ending virtual domains for mail), but the pid in /var/run/sendmail.pid doesn't seem to work: [root@ghettoBOX run]# kill -HUP 540 kill: (540) - No such pid We were thinking maybe sendmail got restarted on it's own, but I believe it would write a new PID to that file either way. This PID was written october 20th (when last I rebooted). I'd like to fix sendmail, without it we are having email problems ;o) I am thinking these problems may be fixed with a reboot, but that fix seems so windows-y... I'd rather FIX the problem than be perplexed as to what it was in the first place and just say "oh well". Today's comment from the DH: "wow you're going to know more about unix than me... wait you probably already do." ;o) thanks, -nicole [EMAIL PROTECTED] http://www.linuxchix.org
Re: [techtalk] bind problem...and a sendmail one, too
> I had it dump it's stats, memstats, and database, but I can't seem to > decipher WHAT address "is already in use". I get a chance to plug one of my favorite utilities...strace :-). run strace -p -f -e trace=network and look for something returning EADDRINUSE or 98. Then look at the arguments, and if it was a socket operation, then look at the arguments to the previous operations on that socket, especially bind. Jeff [EMAIL PROTECTED] http://www.linuxchix.org
Re: [techtalk] bind problem...and a sendmail one, too
Excerpts from linuxchix: 14-Nov-99 [techtalk] bind problem...a.. by Nicole [EMAIL PROTECTED] > I don't know what bind's problem is, but here's what I have on it: > > Every one minute, cron runs a job in /tmp (/tmp/ns, the cron listing for > this job is also in /tmp). Every one minute after cron is unsuccessful, > it sends an e-mail to root saying: > bind: Address already in use > /tmp/ns is a binary executable, so I have no idea. Tried strings-ing it? anything interesting there? > I have HUP-ed bind (named) to restart it, but that didn't fix the > problem. I tried to get some debug info by sending a USR1, it worked the > first time but after I tried to increase the debug level, it stopped > writing to the named.run file (in /var/named/). > > I had it dump it's stats, memstats, and database, but I can't seem to > decipher WHAT address "is already in use". It's not necessarily bind. It's probably the ns file > I have never changed my named.conf or my named.local (they say they were > written some day in June, which corresponds to when we moved to RH6.0 > from 5.2). It has been having problems since November 2nd. I upgraded > eggdrop on October 30th, but I cannot think of any other software I > installed/upgraded around that time. When was that ns thing get put there? When did it start getting run by cron? When did it start erroring. > I have no other cron-constant jobs, just this one... it's obviously bind > (as named) and the "ns" file is probably cryptic for nameserver. I > didn't even KNOW cron looked around to find other cron jobs... I thought > they all had to be in the crontab (redirecting to cron-constant, > cron-hourly, etc). I don't think it's necessarily bind/named. There is a function called bind which binds a socket to an address, and it looks like it's erroring since its trying to bind an address aready in use. generally, when I write a program, i put the function name in the error message rather than the executable name, since I assume that you know what program you're running. > I wish to fix this problem, I don't want to have to delete 12,000 emails > from root's mailbox again ;o) For a temporary fix, you can probably mv or rm the /tmp/ns an cron file.. and kill it if any is running. What I would try is playing with /tmp/ns to see what it does (strings, strace, looking at who put it there and when, etc). Personally, i'd be pretty suspicious of it, especially if i had no idea how it got there, though running it one more time probably wouldn't hurt if it's already been run 12,000 times... > sendmail's story: > I need to HUP sendmail (linuxconf decided it'd be fun to write a new > sendmail.conf thus ending virtual domains for mail), but the pid in > /var/run/sendmail.pid doesn't seem to work: > > [root@ghettoBOX run]# kill -HUP 540 > kill: (540) - No such pid > > We were thinking maybe sendmail got restarted on it's own, but I believe > it would write a new PID to that file either way. This PID was written > october 20th (when last I rebooted). > > I'd like to fix sendmail, without it we are having email problems ;o) > > I am thinking these problems may be fixed with a reboot, but that fix > seems so windows-y... I'd rather FIX the problem than be perplexed as to > what it was in the first place and just say "oh well". You could try finding the real pid for sendmail with ps, then either HUP it (and fix its pidfile) or kill and restart it. [EMAIL PROTECTED] http://www.linuxchix.org
Re: [techtalk] bind problem...and a sendmail one, too
Groovy. :o) Jeff Dike wrote: > > > I had it dump it's stats, memstats, and database, but I can't seem to > > decipher WHAT address "is already in use". > > I get a chance to plug one of my favorite utilities...strace :-). > > run strace -p -f -e trace=network > > and look for something returning EADDRINUSE or 98. Then look at the > arguments, and if it was a socket operation, then look at the arguments to the > previous operations on that socket, especially bind. Is there something I am missing here? Here's what I have: crond.pid (according to /var/run/crond.pid) is 328 [root@ghettoBOX run]# strace -p 328 -f -e trace=network about to attach 148 [pid 14160] recv(59, "\211\302\203\372\377t\t\205\322t"..., 0, 0x804ff70) = 14162 [pid 14161] recv(134545456, "\211\302\203\372\377t\t\205\322t"..., 0, 0x8050030) = 14164 [pid 14161] --- SIGCHLD (Child exited) --- [pid 14161] recv(-1073744108, "\211\303\203\373\377t\t\205\333t"..., 3221223888, MSG_PEEK|0x60) = 14165 [pid 14160] --- SIGCHLD (Child exited) --- [pid 328] --- SIGCHLD (Child exited) --- [pid 14161] --- SIGCHLD (Child exited) --- --- SIGCHLD (Child exited) --- [pid 14168] recv(60, [pid 14169] recv(134545456, [pid 14168] <... recv resumed> "\211\302\203\372\377t\t\205\322t"..., 0, 0x804ff70) = 14170 [pid 14169] <... recv resumed> "\211\302\203\372\377t\t\205\322t"..., 0, 0x8050030) = 14171 [pid 14168] --- SIGCHLD (Child exited) --- [pid 328] --- SIGCHLD (Child exited) --- [pid 14169] --- SIGCHLD (Child exited) --- [pid 14169] recv(-1073744108, "\211\303\203\373\377t\t\205\333t"..., 3221223888, MSG_PEEK|0x60) = 14173 [pid 14169] --- SIGCHLD (Child exited) --- --- SIGCHLD (Child exited) --- [pid 14176] recv(59, "\211\302\203\372\377t\t\205\322t"..., 0, 0x804ff70) = 14178 [pid 14177] recv(134545456, [pid 14181] recv(134545472, [pid 14177] <... recv resumed> "\211\302\203\372\377t\t\205\322t"..., 0, 0x8050030) = 14180 [pid 14181] <... recv resumed> "\211\302\203\372\377t\t\205\322t"..., 0, 0x8050040) = 14182 [pid 14176] --- SIGCHLD (Child exited) --- [pid 328] --- SIGCHLD (Child exited) --- [pid 14181] --- SIGCHLD (Child exited) --- [pid 14181] recv(-1073744108, "\211\303\203\373\377t\t\205\333t"..., 3221223888, MSG_PEEK|0x60) = 14183 [pid 14177] --- SIGCHLD (Child exited) --- [pid 14181] --- SIGCHLD (Child exited) --- --- SIGCHLD (Child exited) --- --- SIGCHLD (Child exited) --- [pid 14185] recv(60, "\211\302\203\372\377t\t\205\322t"..., 0, 0x804ff70) = 14187 [pid 14186] recv(134545456, "\211\302\203\372\377t\t\205\322t"..., 0, 0x8050030) = 14189 [pid 14186] --- SIGCHLD (Child exited) --- [pid 14186] recv(-1073744108, "\211\303\203\373\377t\t\205\333t"..., 3221223888, MSG_PEEK|0x60) = 14190 [pid 14185] --- SIGCHLD (Child exited) --- [pid 328] --- SIGCHLD (Child exited) --- [pid 14186] --- SIGCHLD (Child exited) --- --- SIGCHLD (Child exited) --- [pid 14193] recv(60, "\211\302\203\372\377t\t\205\322t"..., 0, 0x804ff70) = 14195 [pid 14194] recv(134545456, "\211\302\203\372\377t\t\205\322t"..., 0, 0x8050030) = 14197 [pid 14194] --- SIGCHLD (Child exited) --- [pid 14194] recv(-1073744108, [pid 14193] --- SIGCHLD (Child exited) --- [pid 328] --- SIGCHLD (Child exited) --- [pid 14194] <... recv resumed> "\211\303\203\373\377t\t\205\333t"..., 3221223888, MSG_PEEK|0x60) = 14198 [pid 14194] --- SIGCHLD (Child exited) --- --- SIGCHLD (Child exited) --- [pid 14200] recv(60, "\211\302\203\372\377t\t\205\322t"..., 0, 0x804ff70) = 14202 [pid 14201] recv(134545456, "\211\302\203\372\377t\t\205\322t"..., 0, 0x8050030) = 14204 [pid 14200] --- SIGCHLD (Child exited) --- [pid 328] --- SIGCHLD (Child exited) --- [pid 14201] --- SIGCHLD (Child exited) --- [pid 14201] recv(-1073744108, "\211\303\203\373\377t\t\205\333t"..., 3221223888, MSG_PEEK|0x60) = 14205 [pid 14201] --- SIGCHLD (Child exited) --- --- SIGCHLD (Child exited) --- and so on... divided by -- SIGCHLD (Child exited) --- every one minute the outputs are all very similar... i've been watching for a while now :o) i don't know anything about strace, so if i am missing something, i wouldn't know -nicole [EMAIL PROTECTED] http://www.linuxchix.org
Re: [techtalk] bind problem...and a sendmail one, too
Laurel Fan wrote: > Tried strings-ing it? anything interesting there? here's some strings /tmp/ns stuff beginning: 24.113.101.63 63.192.202.250 socket bind recvfrom %s %s %s aIf3YWfOhw.V. PONG *HELLO* ./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz$ UFC-crypt, patchlevel 1e, @(#)patchlevel.h 1.13 9/10/96 %s%s%s lots of things about gconv (/usr/lib/gconv), days of the week, months of the year, alert, backspace, newline, vertical-tab, form-feed, carriage-return, space, exclamation-mark, quotation-mark, POSIX messages /usr/share/locale several errors like "wrong medium type", "remote I/O error", "is a named type file", "network is down", "cannot assign requested address", "address already in use", "address family not supported by protocol" Success mention of: mbrtowc.c, wcrtomb.c, wcsrtombs.c, /proc/self/exe find library= cannot open shared object file /etc/ld.so.cache search cache= ld.so-1.7.0 several elf errors mention of: dynamic-link.h, dl-deps.c, dl-version.c, dl-runtime.c and then a /dev/null near the end 24.113.101.63 traceroutes to... 15 cr354685-a.crdva1.bc.wave.home.com (24.113.101.63) 63.192.202.250 to... argh it won't trace... stops at 10 but 63.192.1.1 traces to 9 adsl-63-192-1-1.dsl.snfc21.pacbell.net (63.192.1.1) and 63.192.202.1 traces to 9 adsl-63-192-202-1.dsl.snfc21.pacbell.net (63.192.202.1) so... it is likely adsl-63-192-202-250.dsl.snfc21.pacbell.net (not that that may mean anything, but IPs are the first thing that came to mind there...) > When was that ns thing get put there? When did it start getting run by > cron? When did it start erroring. see below > I don't think it's necessarily bind/named. There is a function called > bind which binds a socket to an address, and it looks like it's > erroring since its trying to bind an address aready in use. generally, > when I write a program, i put the function name in the error message > rather than the executable name, since I assume that you know what > program you're running. ahhh (light bulb goes on) I understand a leetle better now. Shouldn't have listened to hubby when he told me I was man-ing the wrong bind ;o) > For a temporary fix, you can probably mv or rm the /tmp/ns an cron > file.. and kill it if any is running. What I would try is playing with > /tmp/ns to see what it does (strings, strace, looking at who put it > there and when, etc). Personally, i'd be pretty suspicious of it, > especially if i had no idea how it got there, though running it one more > time probably wouldn't hurt if it's already been run 12,000 times... i do have NO idea how it got there... but it was root created (apparently).. it was created on the 3rd (i was off by a day in earlier estimation), which is when the errors started: [root@ghettoBOX run]# ls -l /tmp/ns -rwxr-xr-x 1 root root 305688 Nov 3 17:34 /tmp/ns* same with /tmp/cron: [root@ghettoBOX run]# ls -l /tmp/cron -rw-r--r-- 1 root root 24 Nov 3 17:34 /tmp/cron > You could try finding the real pid for sendmail with ps, then either HUP > it (and fix its pidfile) or kill and restart it. tried looking in ps aux and there is no sendmail there :o) i believe i will nix or move the /tmp/ns and /tmp/cron files... i have no idea what they are supposed to do, but i do not trust them -nicole [EMAIL PROTECTED] http://www.linuxchix.org
Re: [techtalk] bind problem...and a sendmail one, too
> Is there something I am missing here? Here's what I have: > crond.pid (according to /var/run/crond.pid) is 328 I was trying to be fancy with the "-e trace=network" bit. It looks like the interesting system calls aren't captured by "trace=network". Try this: strace -p -f -o strace.out Let the error happen, then look in strace.out for a write(..., "Address already in use", ...), look for the syscall just before it that returned EADDRINUSE or 98, look operations that happened on the file descriptor that the error happened on. Those will tell you something about what's going on with that socket. I don't at all guarantee that this will tell you what you're really interested in knowing, but you find out lots of stuff that you didn't know about :-) Jeff [EMAIL PROTECTED] http://www.linuxchix.org
Re: [techtalk] bind problem...and a sendmail one, too
Jeff Dike wrote: > > > Is there something I am missing here? Here's what I have: > > crond.pid (according to /var/run/crond.pid) is 328 > > I was trying to be fancy with the "-e trace=network" bit. It looks like the > interesting system calls aren't captured by "trace=network". > > Try this: strace -p -f -o strace.out > > Let the error happen, then look in strace.out for a > write(..., "Address already in use", ...), > look for the syscall just before it that returned EADDRINUSE or 98, look > operations that happened on the file descriptor that the error happened on. hmm... no EADDRINUSE or 98 in the whole file this is what happens (well an example, the ESPIPE eror is constant): 15242 _llseek(0x5, 0, 0, 0xb76c, 0x1) = -1 ESPIPE (Illegal seek) 15242 read(5, "bind: Address already in use\n", 4096) = 29 > Those will tell you something about what's going on with that socket. > > I don't at all guarantee that this will tell you what you're really interested > in knowing, but you find out lots of stuff that you didn't know about :-) definitely interesting :o) -nicole [EMAIL PROTECTED] http://www.linuxchix.org
Re: [techtalk] bind problem...and a sendmail one, too
> hmm... no EADDRINUSE or 98 in the whole file > this is what happens (well an example, the ESPIPE eror is constant): > 15242 _llseek(0x5, 0, 0, 0xb76c, 0x1) = -1 ESPIPE (Illegal seek) > 15242 read(5, "bind: Address already in use\n", 4096) = 29 Are you sure you did the -f on strace? Because you should have seen the write corresponding to that read since that message should have come from a child. If the write is there and you just left it out, then that's where you start looking. You see what might have prompted the error, what file descriptor it involved, and what the history of the file descriptor is. If you want, send me a hunk of that strace output, like from one of those reads to the next, and I'll see what I can see in it. Jeff [EMAIL PROTECTED] http://www.linuxchix.org
Re: [techtalk] bind problem...and a sendmail one, too
Excerpts from linuxchix: 14-Nov-99 Re: [techtalk] bind problem.. by Nicole [EMAIL PROTECTED] > i believe i will nix or move the /tmp/ns and /tmp/cron files... i have > no idea what they are supposed to do, but i do not trust them Looks like you might have been hacked. I'd also look for other strange stuff, ie check your logs for strange things and strange omissions, look for recently changed files that you dont know anything about, look for anything unusual in ps, netstat, lsof. If you really want to be safe, format and reinstall everything. If you don't want to do that, don't run any services you don't need, set up a firewall, and keep an eye on things, etc. [EMAIL PROTECTED] http://www.linuxchix.org
