Last week I had a port (TCP:52557) that was mysteriously unavailable on
my ubuntu machine (running kernel 2.6.15-27-k7 #1 SMP PREEMPT). If you
tried to bind to it, it was unavailable. However, nmap (both to
localhost and from an external host) reported the port closed. fuser,
lsof, and netstat had no record of the port being used. Our firewall
logs didn't show any unusual traffic to the machine. Nor did they show
any traffic at all to/from that port on the machine. After checking
everything I could think of, I rebooted it, and there were no ports that
were unavailable in this way when it came back up. This morning another
hung port has appeared (TCP:43355). My best guess is that this is an
ephemeral port that has somehow gotten hung in the kernel somewhere.
Has anyone seen anything like this and/or is there anything else I could
look at to figure it out?
--
Lawrence MacIntyre 865.574.8696 [email protected]
Oak Ridge National Laboratory
Cyber Security and Information Infrastructure Research Group
Protect your digital freedom and privacy, eliminate DRM.
Learn more at http://www.defectivebydesign.org/what_is_drm
>Last week I had a port (TCP:52557) that was mysteriously unavailable on
>my ubuntu machine (running kernel 2.6.15-27-k7 #1 SMP PREEMPT). If you
>tried to bind to it, it was unavailable. However, nmap (both to
>localhost and from an external host) reported the port closed. fuser,
>lsof, and netstat had no record of the port being used.
Did your application forgot to set SO_REUSEADDR?
> Our firewall
>logs didn't show any unusual traffic to the machine. Nor did they show
>any traffic at all to/from that port on the machine. After checking
>everything I could think of, I rebooted it, and there were no ports that
>were unavailable in this way when it came back up. This morning another
>hung port has appeared (TCP:43355). My best guess is that this is an
>ephemeral port that has somehow gotten hung in the kernel somewhere.
>Has anyone seen anything like this and/or is there anything else I could
>look at to figure it out?
-`J'
--
If that was the case, would the port not show up in TIME_WAIT state?
Also, the kernel should only hold a closed socket in TIME_WAIT state for
2 minutes or so. These hung ports stay around until the machine is
rebooted.
This one time, at band camp, Jan Engelhardt wrote:
>> Last week I had a port (TCP:52557) that was mysteriously unavailable on
>> my ubuntu machine (running kernel 2.6.15-27-k7 #1 SMP PREEMPT). If you
>> tried to bind to it, it was unavailable. However, nmap (both to
>> localhost and from an external host) reported the port closed. fuser,
>> lsof, and netstat had no record of the port being used.
>
> Did your application forgot to set SO_REUSEADDR?
>
>> Our firewall
>> logs didn't show any unusual traffic to the machine. Nor did they show
>> any traffic at all to/from that port on the machine. After checking
>> everything I could think of, I rebooted it, and there were no ports that
>> were unavailable in this way when it came back up. This morning another
>> hung port has appeared (TCP:43355). My best guess is that this is an
>> ephemeral port that has somehow gotten hung in the kernel somewhere.
>> Has anyone seen anything like this and/or is there anything else I could
>> look at to figure it out?
>
> -`J'
--
Lawrence MacIntyre 865.574.8696 [email protected]
Oak Ridge National Laboratory
Cyber Security and Information Infrastructure Research Group
Protect your digital freedom and privacy, eliminate DRM.
Learn more at http://www.defectivebydesign.org/what_is_drm