[hobbit] PORTs help?
Sean Hennessey
sean.hennessey1 at verizonbusiness.com
Wed Jul 12 15:54:06 CEST 2006
Kent,
I just wanted to point out that close_wait is a normal state for tcp
connections to be in. It is part of a passive close process. You can refer
to 18.5 of TCP/IP Illustrated Volume 1 by W.R. Stevens.
To quote:
"TCP provides the ability for one end of a connection to terminate its
output, while still receiving data from the other end. This is called a
half-close. Few applications take advantage of this capability, as we
mentinoned earlier."
http://support.microsoft.com/kb/137984/
http://everything2.com/index.pl?node_id=1411928
This is an interesting read. Maybe your java apps isn't supposed to be doing
passive closing.
http://java.sun.com/j2se/1.5.0/docs/guide/net/articles/connection_release.ht
ml
Sean
-----Original Message-----
From: Brodie, Kent [mailto:brodie at mcw.edu]
Sent: Tuesday, July 11, 2006 5:37 PM
To: hobbit at hswn.dk
Subject: [hobbit] PORTs help?
Hi-- I'm wrestling with the PORTS option of a host, trying to watch
for a specific issue.
While I have successfully matched rule(s) for simple things like SSH
port(s) listening, I cannot seem to get a rule to match the following:
We have a stupid java server thing that keeps leaving ports in a
close_wait state. See example below.
What rule would I use for watching for these? I'm trying something
along the lines of:
HOST=starr.brc.mcw.edu
PORT "REMOTE=%*.8085" STATE=CLOSE_WAIT max=20 color=red
TRACK=hung TEXT=hung
But it never matches. I've tried lots of variations.
Any help appreciated!! (goal: If I see more than "N" number of these
ports, I want to flag red)
Tue Jul 11 16:30:46 CDT 2006 - Ports NOT ok
hung (found 0, req. between 1 and 20) <== this is the rule
that doesn't work..
ssh (found 7, req. 1 or more)
Local Address Remote Address Swind Send-Q Rwind Recv-Q
State
-------------------- -------------------- ----- ------ ----- ------
-------
127.0.0.1.50447 127.0.0.1.6100 49152 0 49152 0
ESTABLISHED
127.0.0.1.6100 127.0.0.1.50447 49152 0 49152 0
ESTABLISHED
*.3003 *.* 0 0 49152 0
LISTEN
127.0.0.1.50448 127.0.0.1.6100 49152 0 49152 0
ESTABLISHED
127.0.0.1.6100 127.0.0.1.50448 49152 0 49152 0
ESTABLISHED
127.0.0.1.50449 127.0.0.1.6100 49152 0 49152 0
ESTABLISHED
127.0.0.1.6100 127.0.0.1.50449 49152 0 49152 0
ESTABLISHED
127.0.0.1.50457 127.0.0.1.6100 49152 0 49152 0
ESTABLISHED
127.0.0.1.6100 127.0.0.1.50457 49152 0 49152 0
ESTABLISHED
141.106.224.175.50533 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.51260 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.54844 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.55651 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.56483 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.57541 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.58667 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.37218 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.38052 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.39008 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.39872 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.40498 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.49005 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.49750 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.50382 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.51211 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.52210 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.59122 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.59721 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.60606 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.61293 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.61992 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.38432 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.39131 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.39752 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.40451 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.41008 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.50174 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.50782 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.51399 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.52041 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.52717 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.64337 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.64991 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.39232 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.39877 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.40560 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.41289 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.42002 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.49473 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.50084 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.50681 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.51227 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.51784 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.58596 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.59169 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.59728 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.60321 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.32820 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.33395 141.106.224.175.8085 49152 0 49152 0
CLOSE_WAIT
141.106.224.175.33956 141.106.224.175.8085 49152 0 49152 0
To unsubscribe from the hobbit list, send an e-mail to
hobbit-unsubscribe at hswn.dk
More information about the Xymon
mailing list