[hobbit] PORTs help?

Brodie, Kent brodie at mcw.edu
Wed Jul 12 16:13:41 CEST 2006


Hmm!  Based on the server and how I know it's used, there really
shouldn't be 900+ close-Wait processes out there....  :-)

---------------------------------------------------------
Kent C. Brodie - brodie at phys.mcw.edu
Department of Physiology
Medical College of Wisconsin
(414) 456-8590
-----Original Message-----
From: Sean Hennessey [mailto:sean.hennessey1 at verizonbusiness.com] 
Sent: Wednesday, July 12, 2006 8:54 AM
To: hobbit at hswn.dk
Subject: RE: [hobbit] PORTs help?

Kent,

I just wanted to point out that close_wait is a normal state for tcp
connections to be in. It is part of a passive close process. You can
refer
to 18.5 of TCP/IP Illustrated Volume 1 by W.R. Stevens.

To quote:

"TCP provides the ability for one end of a connection to terminate its
output, while still receiving data from the other end. This is called a
half-close. Few applications take advantage of this capability, as we
mentinoned earlier."

http://support.microsoft.com/kb/137984/
http://everything2.com/index.pl?node_id=1411928

This is an interesting read. Maybe your java apps isn't supposed to be
doing
passive closing.
http://java.sun.com/j2se/1.5.0/docs/guide/net/articles/connection_releas
e.ht
ml

Sean

-----Original Message-----
From: Brodie, Kent [mailto:brodie at mcw.edu] 
Sent: Tuesday, July 11, 2006 5:37 PM
To: hobbit at hswn.dk
Subject: [hobbit] PORTs help?

Hi--    I'm wrestling with the PORTS option of a host, trying to watch
for a specific issue.

While I have successfully matched rule(s) for simple things like SSH
port(s) listening, I cannot seem to get a rule to match the following:

We have a stupid java server thing that keeps leaving ports in a
close_wait state.   See example below.  

What rule would I use for watching for these?   I'm trying something
along the lines of:

HOST=starr.brc.mcw.edu
        PORT "REMOTE=%*.8085" STATE=CLOSE_WAIT max=20 color=red
TRACK=hung TEXT=hung

But it never matches.   I've tried lots of variations.     

Any help appreciated!!  (goal:  If I see more than "N" number of these
ports, I want to flag red)



Tue Jul 11 16:30:46 CDT 2006 - Ports NOT ok
 hung (found 0, req. between 1 and 20)		<== this is the rule
that doesn't work..

 ssh (found 7, req. 1 or more)

   Local Address        Remote Address    Swind Send-Q Rwind Recv-Q
State
-------------------- -------------------- ----- ------ ----- ------
-------
127.0.0.1.50447      127.0.0.1.6100       49152      0 49152      0
ESTABLISHED
127.0.0.1.6100       127.0.0.1.50447      49152      0 49152      0
ESTABLISHED
      *.3003               *.*                0      0 49152      0
LISTEN
127.0.0.1.50448      127.0.0.1.6100       49152      0 49152      0
ESTABLISHED
127.0.0.1.6100       127.0.0.1.50448      49152      0 49152      0
ESTABLISHED
127.0.0.1.50449      127.0.0.1.6100       49152      0 49152      0
ESTABLISHED
127.0.0.1.6100       127.0.0.1.50449      49152      0 49152      0
ESTABLISHED
127.0.0.1.50457      127.0.0.1.6100       49152      0 49152      0
ESTABLISHED
127.0.0.1.6100       127.0.0.1.50457      49152      0 49152      0
ESTABLISHED
141.106.224.175.50533 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.51260 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.54844 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.55651 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.56483 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.57541 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.58667 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.37218 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.38052 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.39008 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.39872 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.40498 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.49005 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.49750 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.50382 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.51211 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.52210 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.59122 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.59721 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.60606 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.61293 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.61992 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.38432 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.39131 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.39752 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.40451 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.41008 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.50174 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.50782 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.51399 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.52041 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.52717 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.64337 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.64991 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.39232 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.39877 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.40560 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.41289 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.42002 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.49473 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.50084 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.50681 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.51227 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.51784 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.58596 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.59169 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.59728 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.60321 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.32820 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.33395 141.106.224.175.8085 49152      0 49152      0
CLOSE_WAIT
141.106.224.175.33956 141.106.224.175.8085 49152      0 49152      0 

To unsubscribe from the hobbit list, send an e-mail to
hobbit-unsubscribe at hswn.dk





To unsubscribe from the hobbit list, send an e-mail to
hobbit-unsubscribe at hswn.dk





More information about the Xymon mailing list