How to Trace "TCP Receive Error"
Dave Knight
dave at knig.ht
Sun Jan 6 16:48:13 UTC 2008
On 6-Jan-08, at 11:05 AM, Barry Finkel wrote:
> I am seeing lots of messages like this one from BIND-9.4.1-P1:
>
> [ID 873579 daemon.info] dispatch b090ef8:
> shutting down due to TCP receive error: 69.59.189.68#53:
> connection reset
>
> I tried a Solaris snoop trace of all traffic between the DNS server
> (which has three IP addresses) to the IP address in the message:
>
> snoop -v -s3000 -o /tmp/snoop.trace 69.59.189.68
Snoop will listen to the first non-loopback interface it finds, I
would guess in this case it has picked the wrong one.
You can list the available interfaces with:
netstat -i
Then instruct snoop to listen on the correct one with:
-d <interface>
Furthermore, snoop defaults to capturing whole packets, so your
setting snaplen with -s is probably redundant, if for some reason it's
required you shouldn't need to set it higher than the mtu of the
interface on which you are capturing traffic. You'll see that in the
output of the above netstat command.
> but I did not get any packets captured. I ran the trace for one hour,
> and after not capturing anything, I looked in /var/adm/messages.
> There were about 300 such messages logged. What snoop trace
> parameters
> do I have to specify to trace this activity? I am assuming (maybe
> incorrectly) that snoop is tracing activity on all three IP addresses.
> I have BIND query logging on, and I do not see this address in the
> query.log file. Thanks.
> ----------------------------------------------------------------------
> Barry S. Finkel
> Computing and Information Systems Division
> Argonne National Laboratory Phone: +1 (630) 252-7277
> 9700 South Cass Avenue Facsimile:+1 (630) 252-4601
> Building 222, Room D209 Internet: BSFinkel at anl.gov
> Argonne, IL 60439-4828 IBMMAIL: I1004994
>
>
More information about the bind-users
mailing list