On Fri, Jan 29, 2010 at 10:51 AM, James Smallacombe <u...@3.am> wrote:
> Some updates that may confuse more than inform: I caught this while it was > happening yesterday and was able to do a tcpdump. I saw a ton of UDP > traffic outbound to one IP that turned out to be a colocated server in > Chicago. I put that IP in my ipfw rules and once I blocked "any to" that > IP, it seemed to stop. Since then however, the logs have show the same > issue again and there have been a few brief service disruptions. > > Today's security run output showed this: > > +(RULE NUMBER) 16054161 131965203420 deny ip from any to (blocked IP) > > and more alarmingly, this: > > kernel log messages: > +++ /tmp/security.BErFHSS3 2010-01-29 03:09:32.000000000 -0500 > +re0: link state changed to DOWN > +re0: link state changed to UP > +re0: promiscuous mode enabled > +re0: promiscuous mode disabled > +re0: promiscuous mode enabled > +re0: promiscuous mode disabled > +re0: promiscuous mode enabled > +re0: promiscuous mode disabled > > re0 obviously being the Realtek Ethernet driver. The server itself never > went down during this time, but the Ethernet did. Is there any DOS type of > event that could cause this, or could the root of the problem be an Ethernet > hardware or driver issue? Again, it is not clear to me which is the cause > and which is the effect. > > Last bit of info: I just did a: 'tcpdump -n | grep -i udp' and saw a bunch > of these, coming up a couple of times per second: > promiscuous mode entries are caused by tcpdump -- Adam Vande More _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
