How to Trace "TCP Receive Error"

Dave Knight dave at knig.ht
Mon Jan 7 03:27:10 UTC 2008


On 6-Jan-08, at 9:58 PM, Barry Finkel wrote:

> On 6-Jan-08, at 11:05 AM, Barry Finkel wrote:
>
>>> I am seeing lots of messages like this one from BIND-9.4.1-P1:
>>>
>>>    [ID 873579 daemon.info] dispatch b090ef8:
>>>      shutting down due to TCP receive error: 69.59.189.68#53:
>>>      connection reset
>>>
>>> I tried a Solaris snoop trace of all traffic between the DNS server
>>> (which has three IP addresses) to the IP address in the message:
>>>
>>>     snoop -v -s3000 -o /tmp/snoop.trace 69.59.189.68
>>>
>>> but I did not get any packets captured.  I ran the trace for one  
>>> hour,
>>> and after not capturing anything, I looked in /var/adm/messages.
>>> There were about 300 such messages logged.  What snoop trace
>>> parameters
>>> do I have to specify to trace this activity?  I am assuming (maybe
>>> incorrectly) that snoop is tracing activity on all three IP  
>>> addresses.
>>> I have BIND query logging on, and I do not see this address in the
>>> query.log file.  Thanks.
>
>
> and Dave Knight <dave at knig.ht> replied:
>
>> Snoop will listen to the first non-loopback interface it finds, I
>> would guess in this case it has picked the wrong one.
>>
>> You can list the available interfaces with:
>>
>> 	netstat -i
>>
>> Then instruct snoop to listen on the correct one with:
>>
>> 	-d <interface>
>
> I do not understand your reply.  The DNS server has three IP  
> addresses,
> and ALL THREE are advertised and in use.  So, there is no "correct"  
> one.
>
> oberon% netstat -i
> Name  Mtu  Net/Dest      Address        Ipkts  Ierrs Opkts  Oerrs  
> Collis Queue
> lo0   8232 loopback      localhost      465553 0     465553 0      
> 0      0
> bge0  1500 oberon.it.anl.gov oberon         5358043 0     1668993  
> 0     0      0
> bge1  1500 dns2.anl.gov  dns2.anl.gov   340299637 0     154842 0      
> 0      0
> bge2  1500 dns2.anl.gov  dns2.anl.gov   286178523 0     689428381  
> 0     0      0
>
> oberon%
>
> and I have no idea what interface is being used for these queries.
> The DNS server is an internal server for our anl.gov clients.  It
> is inaccessible for internet queries (but it will accept response
> packets), so the queries that are triggering these messages must be
> from one or more internal machines here.

# man snoop

[..]

      -d device

          Receive packets from the  network  using  the  interface
          specified by device, for example, eri0 or hme0. The pro-
          gram netstat(1M), when invoked with the -i  flag,  lists
          all  the  interfaces that a machine has. Normally, snoop
          will automatically choose the first non-loopback  inter-
          face it finds.


snoop can only capture packets on one interface at a time, so if you  
are unsure which interface the packets you are looking for are going  
to arrive on you might try running one for each possible interface  
concurrently:

# snoop -v -s 1500 -o /tmp/snoop.bge0.trace -d bge0 host 69.59.189.68 &
# snoop -v -s 1500 -o /tmp/snoop.bge1.trace -d bge1 host 69.59.189.68 &
# snoop -v -s 1500 -o /tmp/snoop.bge2.trace -d bge2 host 69.59.189.68 &

which will capture traffic on all ethernet interfaces




>
> On the DNS server I did an "rndc dumpdb", and these records appear in
> the database dump:
>
>     ; glue
>     support-intelligence.NET. 134497 NS     dns-eu1.powerdns.net.
> 			     134497  NS      dns-eu2.powerdns.net.
>     ; authauthority
>     a.support-intelligence.NET. 1775 \-AAAA ;-$NXRRSET
>     ; glue
> 			     1891    A       69.59.189.68
>     ; authauthority
>     b.support-intelligence.NET. 1775 \-AAAA ;-$NXRRSET
>     ; glue
> 			     1891    A       69.59.189.68
>     ; glue
>     dob.sibl.support-intelligence.NET. 1891 NS a.support- 
> intelligence.net.
> 			     1891    NS      b.support-intelligence.net.
>     ; glue
>
>     ;
>     ; Unassociated entries
>     ;
>     ;       69.59.189.68 [srtt 374780] [flags 00000000] [ttl 1773]
>
> I assume that the comment lines come before the data line(s).
> The queries seem to be associated somehow with the domain
>
>     support-intelligence.net
>
> A check of our BIND query log shows lots of queries from one of our
> mail machines; here is one query.
>
>     06-Jan-2008 17:38:01.101 queries: info:
>       client 146.137.96.51#41548: query:
>       achilles.ctd.anl.gov.dob.sibl.support-intelligence.net IN A +
>
> I do not have access to that mail machine, so I am copying the
> administrators of that machine, who might be able to tell me why these
> queries are happening.
> ----------------------------------------------------------------------
> Barry S. Finkel
> Computing and Information Systems Division
> Argonne National Laboratory          Phone:    +1 (630) 252-7277
> 9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
> Building 222, Room D209              Internet: BSFinkel at anl.gov
> Argonne, IL   60439-4828             IBMMAIL:  I1004994
>
>



More information about the bind-users mailing list