Hi, Yes you are correct in that I am running a web server. I just caught the machine acting up again and this is what "netstat -tpn" gives me: newdelli 69: netstat -tpn (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.1.41:46541 85.17.35.51:80 ESTABLISHED 3075/firefox-bin tcp 0 129720 192.168.1.41:8080 65.218.208.2:54343 ESTABLISHED - tcp 0 37856 ::ffff:192.168.1.41:80 ::ffff:76.67.226.234:49754 ESTABLISHED - tcp 0 25688 ::ffff:192.168.1.41:80 ::ffff:76.67.226.234:49752 ESTABLISHED - tcp 0 31096 ::ffff:192.168.1.41:80 ::ffff:76.67.226.234:49758 ESTABLISHED - tcp 0 14872 ::ffff:192.168.1.41:80 ::ffff:76.67.226.234:49756 ESTABLISHED - tcp 0 27040 ::ffff:192.168.1.41:80 ::ffff:76.67.226.234:49746 ESTABLISHED - tcp 0 35152 ::ffff:192.168.1.41:80 ::ffff:76.67.226.234:49744 ESTABLISHED - tcp 0 20280 ::ffff:192.168.1.41:80 ::ffff:76.67.226.234:49750 ESTABLISHED - tcp 0 784 ::ffff:192.168.1.41:22 ::ffff:65.218.208.2:21290 ESTABLISHED - tcp 0 17576 ::ffff:192.168.1.41:80 ::ffff:76.67.226.234:49768 ESTABLISHED - tcp 0 24336 ::ffff:192.168.1.41:80 ::ffff:76.67.226.234:49762 ESTABLISHED - tcp 0 18928 ::ffff:192.168.1.41:80 ::ffff:76.67.226.234:49760 ESTABLISHED - tcp 0 27040 ::ffff:192.168.1.41:80 ::ffff:76.67.226.234:49766 ESTABLISHED - tcp 0 22984 ::ffff:192.168.1.41:80 ::ffff:76.67.226.234:49764 ESTABLISHED - tcp 0 0 ::ffff:192.168.1.41:80 ::ffff:212.200.38.150:3112 TIME_WAIT - tcp 0 0 ::ffff:192.168.1.41:80 ::ffff:212.200.38.150:3107 TIME_WAIT - tcp 0 0 ::ffff:192.168.1.41:80 ::ffff:212.200.38.150:3097 TIME_WAIT - tcp 0 0 ::ffff:192.168.1.41:80 ::ffff:212.200.38.150:3102 TIME_WAIT - tcp 0 0 ::ffff:192.168.1.41:80 ::ffff:212.200.38.150:3088 TIME_WAIT - tcp 0 0 ::ffff:192.168.1.41:80 ::ffff:212.200.38.150:3093 TIME_WAIT - tcp 0 0 ::ffff:192.168.1.41:80 ::ffff:212.200.38.150:3082 TIME_WAIT - tcp 0 0 ::ffff:192.168.1.41:80 ::ffff:212.200.38.150:3073 TIME_WAIT - tcp 0 0 ::ffff:192.168.1.41:80 ::ffff:212.200.38.150:3078 TIME_WAIT - The only program listed is firefox which I know is running on the machine at the moment. The rest doesn't show any program. Does this mean those connections were initiated from outside of the box? If that's the case, then I need to find what these outside machines are getting to and block it some how. As pointed out above, the port through which the connections are made is 80. I don't know what I would to do eliminate this since I need port 80 for my web server to function. The IP addresses causing the problem have again changed. Any more ideas? Thanks! John -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Miner, Jonathan W (US SSA) Sent: Wednesday, June 24, 2009 12:35 PM To: General Red Hat Linux discussion list Subject: RE: Identifying and Stopping Unwanted Net Traffic Add the -p option to netstat, and you'll see the program name. Since your source port is "80", it sounds like you're running a webserver. If you're not running a webserver... then something else is on that port! -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx on behalf of Krautkramer, John Sent: Wed 6/24/2009 1:38 PM To: redhat-list@xxxxxxxxxx Cc: Subject: Identifying and Stopping Unwanted Net Traffic Hi, I have a machine running RHEL5.0 that is clogging up my network connection sporadically. Below is the output of "netstat -tn" while the machine is acting up. Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 1 192.168.1.41:55200 66.102.7.100:80 FIN_WAIT1 tcp 0 1 192.168.1.41:35291 66.102.7.101:80 FIN_WAIT1 tcp 0 0 192.168.1.41:46541 85.17.35.51:80 ESTABLISHED tcp 0 1 192.168.1.41:42623 66.102.7.100:80 FIN_WAIT1 tcp 0 0 192.168.1.41:55673 66.102.7.97:443 ESTABLISHED tcp 0 96876 ::ffff:192.168.1.41:80 ::ffff:211.125.38.105:55594 ESTABLISHED tcp 0 116532 ::ffff:192.168.1.41:80 ::ffff:211.125.38.105:55628 ESTABLISHED I believe it's the last 2 entries that are the problem. How do I determine what these are and what on the system is generating the traffic? I've also observed the Foreign Address is not always the same. Today the problem addresses are different. I know the solution is to find what is causing the traffic if I can, but in the mean time, is there a way to block the traffic? I tried blocking it at the DNS server with OpenDNS but they don't accept the IPV6 addresses. Any ideas would be greatly appreciated! John -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=subscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
