HPE Community
Operating System - HP-UX
1827838 Members
1349 Online
109969 Solutions
New Discussion

gethostbyaddr errors in syslog

 
SOLVED
Go to solution
Dave Johnson_1
Super Advisor

‎10-22-2007 07:15 AM

‎10-22-2007 07:15 AM

gethostbyaddr errors in syslog

I have 6 HP-UX servers running 11.11 on PA-RISC. Four of them are logging several errors per day in syslog like the following:
Oct 21 14:35:55 uxsvrdv2 syslog: gethostbyaddr: !=
Oct 21 17:13:47 uxsvrdv2 syslog: gethostbyaddr: !=
Oct 21 21:30:17 uxsvrdv2 syslog: gethostbyaddr: !=
Oct 22 02:06:30 uxsvrdv2 syslog: gethostbyaddr: !=
I have checked and I get several different answers from nslookup even though it is always getting is answer from one specific Windows DNS server. I have the network guys looking into that problem.
What I want to know is what program is causing these errors. One of the servers should only have me and the DBA poking at, yet these end user workstation IP addresses are showing up.
Is there some way I can trak all accesses to a server by IP address?
0 Kudos
14 REPLIES 14
Fabian Briseño
Esteemed Contributor

‎10-22-2007 07:45 AM

‎10-22-2007 07:45 AM

Re: gethostbyaddr errors in syslog

Hello Dave.

Check these threads.


http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1067252


http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1108887


hope they help
Knowledge is power.
0 Kudos
Hasan Atasoy
Honored Contributor

‎10-22-2007 08:00 AM

‎10-22-2007 08:00 AM

Re: gethostbyaddr errors in syslog

hi;

some off your client registered to dns with some ip and these clients ( mostly notebooks ) connect to you hp-ux server with another ip . perhaps second ip got from dhcp.

you should check your dns records.

mathmad.
0 Kudos
Dave Johnson_1
Super Advisor

‎10-22-2007 08:09 AM

‎10-22-2007 08:09 AM

Re: gethostbyaddr errors in syslog

The DNS issue is being addressed by the people that own the DNS systems.
What I want to know is what program is trying do get these host names?
As I said in the original post is, there are client PCs connecting to a server that they have no business connecting to, let alone should even know the name of. How do I track that traffic back to a root cause?
0 Kudos
Rob Leadbeater
Honored Contributor

‎10-22-2007 09:16 AM

‎10-22-2007 09:16 AM

Re: gethostbyaddr errors in syslog

Hi Dave,

You should be able to see what hosts are connecting to your server at a particular time, by looking at the output of "netstat -an" The n will show you the actual IP addresses rather than names, to get round any DNS problems you might be having.

It's not clear from the error message you posted, whether the numbers 84 and 110 are the port numbers the client is connecting to. If so, the latter is POP3...

Hope this helps,

Regards,

Rob
0 Kudos
Dave Johnson_1
Super Advisor

‎10-22-2007 09:21 AM

‎10-22-2007 09:21 AM

Re: gethostbyaddr errors in syslog

The 110 and 84 refer to the last octet in the ip address. The 06 and 19 refer to 2 characters in the host name we use here.
Trying to run netstat and "catch" when the gethostbyaddr error occurs, will be a challenge.

Thanks for trying,
-Dave
0 Kudos
Rob Leadbeater
Honored Contributor

‎10-22-2007 09:33 AM

‎10-22-2007 09:33 AM

Re: gethostbyaddr errors in syslog

It was worth a try !

I suppose you could try capturing the netstat output to a file, every minute or so...

TCP/IP connections normally stay active for a period after the initial connection, so you might get lucky in finding the culprit.

Cheers,

Rob
0 Kudos
Patrick Wallek
Honored Contributor

‎10-22-2007 09:43 AM

‎10-22-2007 09:43 AM

Re: gethostbyaddr errors in syslog

You may be better off trying to capture the network traffic going to your server.

This could be done on your HP-UX machine via nettl. The nettl trace can be saved to a file and then later analyzed by a program like Wireshark (formerly Ethereal).

If you have an external network sniffer, this could also do the job.

In both cases you should be able to restrict the captured packets to the IP addresses you are interested in so that you don't get a huge trace file.
0 Kudos
Dave Johnson_1
Super Advisor

‎10-22-2007 09:52 AM

‎10-22-2007 09:52 AM

Re: gethostbyaddr errors in syslog

I must be very tired. I completly forgot about Ethereal. I have used that in the past. I still will need to run it for a while until the error happens to trip. Then the fun will start.
0 Kudos
Rob Leadbeater
Honored Contributor

‎10-22-2007 10:01 AM

‎10-22-2007 10:01 AM

Re: gethostbyaddr errors in syslog

Another possibly simpler solution is tcpdump...

Cheers,
Rob
0 Kudos
Dave Johnson_1
Super Advisor

‎10-22-2007 10:05 AM

‎10-22-2007 10:05 AM

Re: gethostbyaddr errors in syslog

Rob
I do not have tcpdump. Where do I get it?
0 Kudos
James R. Ferguson
Acclaimed Contributor

‎10-22-2007 10:11 AM

‎10-22-2007 10:11 AM

Solution

Re: gethostbyaddr errors in syslog

Hi Dave:

> I do not have tcpdump. Where do I get it?

You can get 'tcpdump' from the HP-UX Porting Center:

http://hpux.connect.org.uk/

Regards!

...JRF...

0 Kudos
rick jones
Honored Contributor

‎10-22-2007 12:18 PM

‎10-22-2007 12:18 PM

Re: gethostbyaddr errors in syslog

When in doubt, sniff packets. However, ipfilter may have a logging mechanism you can use instead if you prefer.

Anyhow, in addition to the porting archives, there is a tcpdump in the HP Internet Express bits, and I've often been able to compile the latest and greatest libpcap and tcpdump from www.tcpdump.org, using the HP ANSI C compiler.

To keep the packet traces small, you might use a tcpdump filter expression to only capture those packets which are TCP segments with the SYNchronize bit set in the header. I believe the tcpdump manpage has an example you can leverage.

When you take the packet traces, you may find those PC's attempting to access more than just the one service logging those messages... could be something like nmap, could be the PC's have been compromised, could be any number of things.
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
whiteknight
Honored Contributor

‎10-22-2007 06:05 PM

‎10-22-2007 06:05 PM

Re: gethostbyaddr errors in syslog

Dave,

This error indicated missing dns db records
Or missing A records in DNS database


WK
Problem never ends, you must know how to fix it
0 Kudos
Dave Johnson_1
Super Advisor

‎10-23-2007 03:04 AM

‎10-23-2007 03:04 AM

Re: gethostbyaddr errors in syslog

Thank you to everyone for all the suggestions. I will be trying tcpdump and ethereal to monitor the traffic and see if I can figure out what is going on.

Later,
-Dave
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.