Re: Confused about network traffic on mysql port
Hi, On Thu, Mar 27, 2003 at 05:35:22PM -0500, Gary Huntress wrote: > > >I have noticed on many occasions some extensive traffic on my internal > > >network that I cannot explain. Below you will see two sets of tcpdump > > >traces. I have a mysql server running on my internal host named > > >"herzegbol" and a windows 98 host named shelbyville > > > > > >This trace is when the MySQL server is running: > > >14:33:45.886159 eth1 > herzegbol.mysql > shelbyville.2333: S > > >700834979:700834979(0) ack 2360059956 win 5792 [snip] > > > > > >This trace is after I issue mysqladmin shutdown: > > >14:32:09.886091 eth1 > herzegbol.mysql > shelbyville.2333: R 0:0(0) ack > > >2360059956 win 0 (DF) > [snip] > > > > > >The reason this is confusing to me is that the traffic originates on the > > >mysql server "herzegbol" via the mysql port and the destination is the > > >windows box on dozens of ports and there is no program or process on the > > >windows machine that is connected to the database server.As far as I > can > > >tell there is absolutely no reason for Herzegbol to talk to shelbyville, > yet > > >this traffic will pop up almost every day for a period of time and swamp > my > > >network. I would like to identify the source and understand the cause. > [snip] :) > Unless I discover something else, I'm going to assume this is not a mysql > problem. > This all happens at the level of the TCP stack, so MySQL couldn't be involved I guess. Could you try running tcpdump -n to make sure the DNS or host tables aren't goofed up? TCP stacks don't just reply to unsent packets. Regards, Fred. -- Fred van Engen XB Networks B.V. email: [EMAIL PROTECTED]Televisieweg 2 tel: +31 36 5462400 1322 AC Almere fax: +31 36 5462424 The Netherlands -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Confused about network traffic on mysql port
Hi, On Thu, Mar 27, 2003 at 02:28:37PM -0500, Gary Huntress wrote: > I have noticed on many occasions some extensive traffic on my internal > network that I cannot explain. Below you will see two sets of tcpdump > traces. I have a mysql server running on my internal host named > "herzegbol" and a windows 98 host named shelbyville > > This trace is when the MySQL server is running: > 14:33:45.886159 eth1 > herzegbol.mysql > shelbyville.2333: S > 700834979:700834979(0) ack 2360059956 win 5792 s 1460,sackOK,timestamp 420171046 7876889,nop,wscale 0> (DF) > 14:33:46.156126 eth1 > herzegbol.mysql > shelbyville.2311: S > 703613196:703613196(0) ack 1969309172 win 5792 s 1460,sackOK,timestamp 420171073 7876916,nop,wscale 0> (DF) > 14:33:47.010646 eth1 > herzegbol.mysql > shelbyville.2345: S > 697677373:697677373(0) ack 2546308254 win 5792 s 1460,sackOK,timestamp 420171158 7877001,nop,wscale 0> (DF) > 14:33:47.246107 eth1 > herzegbol.mysql > shelbyville.2304: S > 705352284:705352284(0) ack 1841862906 win 5792 s 1460,sackOK,timestamp 420171182 7877025,nop,wscale 0> (DF) > These look like reply packets (SYN-ACK) to a port open request (SYN) sent from shelbyville. In this case a confirmation that the port was opened succesfully. > This trace is after I issue mysqladmin shutdown: > 14:32:09.886091 eth1 > herzegbol.mysql > shelbyville.2333: R 0:0(0) ack > 2360059956 win 0 (DF) > 14:32:15.626067 eth1 > herzegbol.mysql > shelbyville.2334: R 0:0(0) ack > 2356113189 win 0 (DF) > 14:32:17.586063 eth1 > herzegbol.mysql > shelbyville.2308: R 0:0(0) ack > 1867829359 win 0 (DF) > 14:32:20.696068 eth1 > herzegbol.mysql > shelbyville.2321: R 0:0(0) ack > 2130321013 win 0 (DF) > 14:32:25.566094 eth1 > herzegbol.mysql > shelbyville.2324: R 0:0(0) ack > 2251852705 win 0 (DF) > 14:32:30.066104 eth1 > herzegbol.mysql > shelbyville.2325: R 0:0(0) ack > 2264947201 win 0 (DF) > These look like reply packets (RST) to a port open request (SYN) sent from shelbyville. In this case a notification that nothing is listening on the port. > The reason this is confusing to me is that the traffic originates on the > mysql server "herzegbol" via the mysql port and the destination is the > windows box on dozens of ports and there is no program or process on the > windows machine that is connected to the database server.As far as I can > tell there is absolutely no reason for Herzegbol to talk to shelbyville, yet > this traffic will pop up almost every day for a period of time and swamp my > network. I would like to identify the source and understand the cause. > My guess is that you're showing only packets sent by herzegbol and not packets received by herzegbol and that shelbyville is really trying to connect. What is your tcpdump line and what do you see when you connect manually from shelbyville to herzegbol? (i.e. telnet herzegbol 3306) Regards, Fred. -- Fred van Engen XB Networks B.V. email: [EMAIL PROTECTED]Televisieweg 2 tel: +31 36 5462400 1322 AC Almere fax: +31 36 5462424 The Netherlands -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Confused about network traffic on mysql port
- Original Message - From: "Paul DuBois" <[EMAIL PROTECTED]> To: "Gary Huntress" <[EMAIL PROTECTED]> Sent: Thursday, March 27, 2003 4:33 PM Subject: Re: Confused about network traffic on mysql port > >I have noticed on many occasions some extensive traffic on my internal > >network that I cannot explain. Below you will see two sets of tcpdump > >traces. I have a mysql server running on my internal host named > >"herzegbol" and a windows 98 host named shelbyville > > > >This trace is when the MySQL server is running: > >14:33:45.886159 eth1 > herzegbol.mysql > shelbyville.2333: S > >700834979:700834979(0) ack 2360059956 win 5792 > > >This trace is after I issue mysqladmin shutdown: > >14:32:09.886091 eth1 > herzegbol.mysql > shelbyville.2333: R 0:0(0) ack > >2360059956 win 0 (DF) [snip] > > > >The reason this is confusing to me is that the traffic originates on the > >mysql server "herzegbol" via the mysql port and the destination is the > >windows box on dozens of ports and there is no program or process on the > >windows machine that is connected to the database server.As far as I can > >tell there is absolutely no reason for Herzegbol to talk to shelbyville, yet > >this traffic will pop up almost every day for a period of time and swamp my > >network. I would like to identify the source and understand the cause. The shelbyville box (192.168.0.2) never ever connects to the Herzegbol (192.168.0.32) MySQL server, shelbyville does not even have a mysql ODBC driver installed. All connections are either from external users (port forwarded through firewall to herzegbol) or from the apache/php web pages (on 192.168.0.1). To add to the confusion, I just checked the host table on herzegbol and there isn't even an entry there for shelbyville so I don't even know how herzegbol even knows there is a box to TRY and connect to! (for those wondering why you then see the host shelbyville show up in the tcpdump above, it is done from a different host) Unless I discover something else, I'm going to assume this is not a mysql problem. Thanks for the help. Regards, Gary "SuperID" Huntress === FreeSQL.org offering free database hosting to developers Visit http://www.freesql.org > > Do you experience a lot of connection aborts on the client end? > Maybe the server's periodically trying to ascertain whether the client end > of connections are still alive after a timeout period or something. > (Just a guess, probably a poor one.) > > > > > > > > >-- > >MySQL General Mailing List > >For list archives: http://lists.mysql.com/mysql > >To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] > > -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Confused about network traffic on mysql port
I've considered that. But there are no indications that is the case, I sniff traffic to that box from my firewall (that could be compromised too of course) and I see nothing suspicious. The only traffic on that box is on the mysql port. Since I see this traffic on the mysql port when the server is running I must assume that it is mysqld who owns the port. I am currently investigating the other comments that I have received. Regards, Gary "SuperID" Huntress === FreeSQL.org offering free database hosting to developers Visit http://www.freesql.org - Original Message - From: "GERST, MICHAEL (SBCSI)" <[EMAIL PROTECTED]> To: "'Gary Huntress'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, March 27, 2003 4:44 PM Subject: RE: Confused about network traffic on mysql port > Somebody got control of mysql, or your rooted? > > -Original Message- > From: Gary Huntress [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 27, 2003 1:29 PM > To: [EMAIL PROTECTED] > Subject: Confused about network traffic on mysql port > > I have noticed on many occasions some extensive traffic on my internal > network that I cannot explain. Below you will see two sets of tcpdump > traces. I have a mysql server running on my internal host named > "herzegbol" and a windows 98 host named shelbyville > > This trace is when the MySQL server is running: > 14:33:45.886159 eth1 > herzegbol.mysql > shelbyville.2333: S > 700834979:700834979(0) ack 2360059956 win 5792 s 1460,sackOK,timestamp 420171046 7876889,nop,wscale 0> (DF) > 14:33:46.156126 eth1 > herzegbol.mysql > shelbyville.2311: S > 703613196:703613196(0) ack 1969309172 win 5792 s 1460,sackOK,timestamp 420171073 7876916,nop,wscale 0> (DF) > 14:33:47.010646 eth1 > herzegbol.mysql > shelbyville.2345: S > 697677373:697677373(0) ack 2546308254 win 5792 s 1460,sackOK,timestamp 420171158 7877001,nop,wscale 0> (DF) > 14:33:47.246107 eth1 > herzegbol.mysql > shelbyville.2304: S > 705352284:705352284(0) ack 1841862906 win 5792 s 1460,sackOK,timestamp 420171182 7877025,nop,wscale 0> (DF) > > This trace is after I issue mysqladmin shutdown: > 14:32:09.886091 eth1 > herzegbol.mysql > shelbyville.2333: R 0:0(0) ack > 2360059956 win 0 (DF) > 14:32:15.626067 eth1 > herzegbol.mysql > shelbyville.2334: R 0:0(0) ack > 2356113189 win 0 (DF) > 14:32:17.586063 eth1 > herzegbol.mysql > shelbyville.2308: R 0:0(0) ack > 1867829359 win 0 (DF) > 14:32:20.696068 eth1 > herzegbol.mysql > shelbyville.2321: R 0:0(0) ack > 2130321013 win 0 (DF) > 14:32:25.566094 eth1 > herzegbol.mysql > shelbyville.2324: R 0:0(0) ack > 2251852705 win 0 (DF) > 14:32:30.066104 eth1 > herzegbol.mysql > shelbyville.2325: R 0:0(0) ack > 2264947201 win 0 (DF) > > The reason this is confusing to me is that the traffic originates on the > mysql server "herzegbol" via the mysql port and the destination is the > windows box on dozens of ports and there is no program or process on the > windows machine that is connected to the database server.As far as I can > tell there is absolutely no reason for Herzegbol to talk to shelbyville, yet > this traffic will pop up almost every day for a period of time and swamp my > network. I would like to identify the source and understand the cause. > > Regards, > Gary "SuperID" Huntress > === > FreeSQL.org offering free database hosting to developers > Visit http://www.freesql.org > > > > > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: Confused about network traffic on mysql port
Somebody got control of mysql, or your rooted? -Original Message- From: Gary Huntress [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 1:29 PM To: [EMAIL PROTECTED] Subject: Confused about network traffic on mysql port I have noticed on many occasions some extensive traffic on my internal network that I cannot explain. Below you will see two sets of tcpdump traces. I have a mysql server running on my internal host named "herzegbol" and a windows 98 host named shelbyville This trace is when the MySQL server is running: 14:33:45.886159 eth1 > herzegbol.mysql > shelbyville.2333: S 700834979:700834979(0) ack 2360059956 win 5792 (DF) 14:33:46.156126 eth1 > herzegbol.mysql > shelbyville.2311: S 703613196:703613196(0) ack 1969309172 win 5792 (DF) 14:33:47.010646 eth1 > herzegbol.mysql > shelbyville.2345: S 697677373:697677373(0) ack 2546308254 win 5792 (DF) 14:33:47.246107 eth1 > herzegbol.mysql > shelbyville.2304: S 705352284:705352284(0) ack 1841862906 win 5792 (DF) This trace is after I issue mysqladmin shutdown: 14:32:09.886091 eth1 > herzegbol.mysql > shelbyville.2333: R 0:0(0) ack 2360059956 win 0 (DF) 14:32:15.626067 eth1 > herzegbol.mysql > shelbyville.2334: R 0:0(0) ack 2356113189 win 0 (DF) 14:32:17.586063 eth1 > herzegbol.mysql > shelbyville.2308: R 0:0(0) ack 1867829359 win 0 (DF) 14:32:20.696068 eth1 > herzegbol.mysql > shelbyville.2321: R 0:0(0) ack 2130321013 win 0 (DF) 14:32:25.566094 eth1 > herzegbol.mysql > shelbyville.2324: R 0:0(0) ack 2251852705 win 0 (DF) 14:32:30.066104 eth1 > herzegbol.mysql > shelbyville.2325: R 0:0(0) ack 2264947201 win 0 (DF) The reason this is confusing to me is that the traffic originates on the mysql server "herzegbol" via the mysql port and the destination is the windows box on dozens of ports and there is no program or process on the windows machine that is connected to the database server.As far as I can tell there is absolutely no reason for Herzegbol to talk to shelbyville, yet this traffic will pop up almost every day for a period of time and swamp my network. I would like to identify the source and understand the cause. Regards, Gary "SuperID" Huntress === FreeSQL.org offering free database hosting to developers Visit http://www.freesql.org -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Confused about network traffic on mysql port
On Thu, Mar 27, 2003 at 02:28:37PM -0500, Gary Huntress wrote: > I have noticed on many occasions some extensive traffic on my internal > network that I cannot explain. Below you will see two sets of tcpdump > traces. I have a mysql server running on my internal host named > "herzegbol" and a windows 98 host named shelbyville [snip] > This trace is after I issue mysqladmin shutdown: > 14:32:09.886091 eth1 > herzegbol.mysql > shelbyville.2333: R 0:0(0) ack > 2360059956 win 0 (DF) > 14:32:15.626067 eth1 > herzegbol.mysql > shelbyville.2334: R 0:0(0) ack > 2356113189 win 0 (DF) > 14:32:17.586063 eth1 > herzegbol.mysql > shelbyville.2308: R 0:0(0) ack > 1867829359 win 0 (DF) > 14:32:20.696068 eth1 > herzegbol.mysql > shelbyville.2321: R 0:0(0) ack > 2130321013 win 0 (DF) > 14:32:25.566094 eth1 > herzegbol.mysql > shelbyville.2324: R 0:0(0) ack > 2251852705 win 0 (DF) > 14:32:30.066104 eth1 > herzegbol.mysql > shelbyville.2325: R 0:0(0) ack > 2264947201 win 0 (DF) > > The reason this is confusing to me is that the traffic originates on > the mysql server "herzegbol" via the mysql port and the destination > is the windows box on dozens of ports and there is no program or > process on the windows machine that is connected to the database > server. As far as I can tell there is absolutely no reason for > Herzegbol to talk to shelbyville, yet this traffic will pop up > almost every day for a period of time and swamp my network. I would > like to identify the source and understand the cause. That's really odd. Are you *sure* it actually shuts down? Jeremy -- Jeremy D. Zawodny | Perl, Web, MySQL, Linux Magazine, Yahoo! <[EMAIL PROTECTED]> | http://jeremy.zawodny.com/ MySQL 4.0.8: up 52 days, processed 1,799,891,638 queries (397/sec. avg) -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
