HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Internet Usage
Operating System - HP-UX
1827809
Members
2937
Online
109969
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2003 05:29 AM
08-13-2003 05:29 AM
Internet Usage
My network team advised me that 6 or 8 of my Unix servers are showing over 100 hours of internet usage within the past month. All my servers are Oracle and Pesplesoft servers with no web servers running. The only thing I can think of is ISEE running constantly accress the net. Any ideas on who I can look into the UNIX box to see what is talking to the net?
UNIX IS GOOD
8 REPLIES 8
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2003 05:33 AM
08-13-2003 05:33 AM
Re: Internet Usage
Assumming you are looking for web traffic only.
You could have a cron job that logs the output of `netstat -a | grep 80` to a file somewhere.
This will catch any port 80, or 8080 accesses (outgoing or incoming), but may also catch non-web traffic.
HTH.
You could have a cron job that logs the output of `netstat -a | grep 80` to a file somewhere.
This will catch any port 80, or 8080 accesses (outgoing or incoming), but may also catch non-web traffic.
HTH.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2003 05:41 AM
08-13-2003 05:41 AM
Re: Internet Usage
netstat -a | grep -i 80 gives me this:
what is pwgr ?
910
6b08da00 dgram 0 0 7a512800 0 0 0 /var/spool/sockets/pwgr/client23987
6acee400 dgram 0 0 70f96800 0 0 0 /var/spool/sockets/pwgr/client16767
7128e800 stream 0 0 80432000 0 0 0 /opt/hpservices/adm/.serverSocket
6ad2e800 dgram 0 0 708fd000 0 0 0 /var/spool/sockets/pwgr/client16779
6bbbea00 dgram 0 0 726c7800 0 0 0 /var/spool/sockets/pwgr/client16751
6295ec00 dgram 0 0 8c287800 0 0 0 /var/spool/sockets/pwgr/client10320
611ff000 dgram 0 0 60777800 0 0 0 /var/spool/pwgr/daemon
6090f000 dgram 0 0 60c97800 0 0 0 /opt/dcelocal/var/rpc/local/00984/reaper
62d0f400 dgram 0 0 86ac7800 0 0 0 /var/spool/sockets/pwgr/client17287
6ad0f600 dgram 0 0 71228000 0 0 0 /var/spool/sockets/pwgr/client16773
6bc9f800 dgram 0 0 71226800 0 0 0 /var/spool/sockets/pwgr/client16745
6ae8f800 dgram 0 0 6a5ac800 0 0 0 /var/spool/sockets/pwgr/client16729
62ecfe00 dgram 0 0 93286800 0 0 0 /var/spool/sockets/pwgr/client11125
62e7fe00 dgram 0 0 62757800 0 0 0 /var/spool/sockets/pwgr/client4987
what is pwgr ?
910
6b08da00 dgram 0 0 7a512800 0 0 0 /var/spool/sockets/pwgr/client23987
6acee400 dgram 0 0 70f96800 0 0 0 /var/spool/sockets/pwgr/client16767
7128e800 stream 0 0 80432000 0 0 0 /opt/hpservices/adm/.serverSocket
6ad2e800 dgram 0 0 708fd000 0 0 0 /var/spool/sockets/pwgr/client16779
6bbbea00 dgram 0 0 726c7800 0 0 0 /var/spool/sockets/pwgr/client16751
6295ec00 dgram 0 0 8c287800 0 0 0 /var/spool/sockets/pwgr/client10320
611ff000 dgram 0 0 60777800 0 0 0 /var/spool/pwgr/daemon
6090f000 dgram 0 0 60c97800 0 0 0 /opt/dcelocal/var/rpc/local/00984/reaper
62d0f400 dgram 0 0 86ac7800 0 0 0 /var/spool/sockets/pwgr/client17287
6ad0f600 dgram 0 0 71228000 0 0 0 /var/spool/sockets/pwgr/client16773
6bc9f800 dgram 0 0 71226800 0 0 0 /var/spool/sockets/pwgr/client16745
6ae8f800 dgram 0 0 6a5ac800 0 0 0 /var/spool/sockets/pwgr/client16729
62ecfe00 dgram 0 0 93286800 0 0 0 /var/spool/sockets/pwgr/client11125
62e7fe00 dgram 0 0 62757800 0 0 0 /var/spool/sockets/pwgr/client4987
UNIX IS GOOD
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2003 05:52 AM
08-13-2003 05:52 AM
Re: Internet Usage
Like I said, you are catching non-web (and in this case non-network) traffic. All of those lines you pasted are from LOCAL socket connections. They are not network based at all, but just an IPC channel in the kernel. So, you can ignore those. Just look for ones with IP address and valid ports. You should be able to tweak the grep to get rid of these local only sockets.
HTH.
HTH.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2003 06:08 AM
08-13-2003 06:08 AM
Re: Internet Usage
Ok, so when I run netstat -a I see this:
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 ihshp10.49979 ihshp10.registrar TIME_WAIT
tcp 0 0 *.dtspc *.* LISTEN
tcp 0 0 *.4045 *.* LISTEN
tcp 0 0 ihshp10.8052 *.* LISTEN
tcp 0 0 ihshp10.8050 *.* LISTEN
tcp 0 0 ihshp10.8003 *.* LISTEN
tcp 0 0 ihshp10.8002 *.* LISTEN
tcp 0 0 ihshp10.8001 *.* LISTEN
tcp 0 0 ihshp10.8000 *.* LISTEN
tcp 0 0 ihshp10.65340 ihshp10.610 ESTABLISHED
tcp 0 0 ihshp10.57068 ihshp14.1521 ESTABLISHED
tcp 0 0 ihshp10.57065 ihshp14.1521 ESTABLISHED
tcp 0 0 ihshp10.57062 ihshp14.1521 ESTABLISHED
like ihshp10.57602
What is 57602, a port being used?
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 ihshp10.49979 ihshp10.registrar TIME_WAIT
tcp 0 0 *.dtspc *.* LISTEN
tcp 0 0 *.4045 *.* LISTEN
tcp 0 0 ihshp10.8052 *.* LISTEN
tcp 0 0 ihshp10.8050 *.* LISTEN
tcp 0 0 ihshp10.8003 *.* LISTEN
tcp 0 0 ihshp10.8002 *.* LISTEN
tcp 0 0 ihshp10.8001 *.* LISTEN
tcp 0 0 ihshp10.8000 *.* LISTEN
tcp 0 0 ihshp10.65340 ihshp10.610 ESTABLISHED
tcp 0 0 ihshp10.57068 ihshp14.1521 ESTABLISHED
tcp 0 0 ihshp10.57065 ihshp14.1521 ESTABLISHED
tcp 0 0 ihshp10.57062 ihshp14.1521 ESTABLISHED
like ihshp10.57602
What is 57602, a port being used?
UNIX IS GOOD
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2003 06:09 AM
08-13-2003 06:09 AM
Re: Internet Usage
Ask your network team how they define internet usage. Are they looking at a specific range of tcp ports, or at all traffic hitting the firewall, or what?
Do you have sendmail running on these servers? Do your applications or databases send automated mail outside your network, to a pop mailer outside your network? Check with your applications people to see if you had anyone coming in via telnet or ftp or ssh from outside your network to do work on any of your systems.
Are your running security_patch_check on these systems, or doing any other FTPs to systms outside your network? If this the first time your network group has run this sort of audit, they may actually be seeing a normal month's usage of the network.
mark
Do you have sendmail running on these servers? Do your applications or databases send automated mail outside your network, to a pop mailer outside your network? Check with your applications people to see if you had anyone coming in via telnet or ftp or ssh from outside your network to do work on any of your systems.
Are your running security_patch_check on these systems, or doing any other FTPs to systms outside your network? If this the first time your network group has run this sort of audit, they may actually be seeing a normal month's usage of the network.
mark
the future will be a lot like now, only later
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2003 02:35 AM
08-20-2003 02:35 AM
Re: Internet Usage
The network traffice might be caused by ISEEs polling mechanism. The polling is necessary to recieve updates of any open cases and for outstanding map requests, as the internet connection is only outbound. If the network traffic is causing any problems, there is a way to change the polling rate but be aware that this will reduce the functions the polling offers. to reduce the interval edit the file:
/opt/hpservices/vendors/HP_Services/vendor.pref
and change the variable "POLL_INTERVAL". By default it is set to 190 seconds. The systems should at least poll a few times per day. After changing the POLL_INTERVAL restart the hpservices by /sbin/init.d/hpservices stop/start
/opt/hpservices/vendors/HP_Services/vendor.pref
and change the variable "POLL_INTERVAL". By default it is set to 190 seconds. The systems should at least poll a few times per day. After changing the POLL_INTERVAL restart the hpservices by /sbin/init.d/hpservices stop/start
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2003 06:36 PM
08-20-2003 06:36 PM
Re: Internet Usage
Your netstat does not show any traffic to the internet. At least there are no established connections. Your only connections are between two machines with similar names so I assume they are both local.
tcp 0 0 ihshp10.65340 ihshp10.610 ESTABLISHED
tcp 0 0 ihshp10.57068 ihshp14.1521 ESTABLISHED
The 65340 is the port it (the local machine called ihshp10) used as the source of the connnection. (Port numbers are chosen at random these days. They used to go up one at a time but a spoofer could exploit the predictability so they changed it.) It made a connection to itself on port 610. TCP/IP is often used to communicte between two processes running on the same machine so this is normal. 610 is a registered port and is supposed to be used for: npmp-local whatever that may be.
On the second line it uses port 57068 to connect to ihshp14 on port 1521. 1521 is also a registered port and is supposed to be used for: nCube License Manager
I suspect someone (Peoplesoft or Oracle) is reusing these ports for their own purposes.
You might look at
netstat -s
and see if you have a large number or UDP packets being sent out since it does not appear that you are going out to the internet via tcp at this instant in time. To see these packets would require something like tcpdump, snort or a sniffer. The network guys should have a sniffer so ask them to tell you where this supposed internet traffic is going to.
Ron
tcp 0 0 ihshp10.65340 ihshp10.610 ESTABLISHED
tcp 0 0 ihshp10.57068 ihshp14.1521 ESTABLISHED
The 65340 is the port it (the local machine called ihshp10) used as the source of the connnection. (Port numbers are chosen at random these days. They used to go up one at a time but a spoofer could exploit the predictability so they changed it.) It made a connection to itself on port 610. TCP/IP is often used to communicte between two processes running on the same machine so this is normal. 610 is a registered port and is supposed to be used for: npmp-local whatever that may be.
On the second line it uses port 57068 to connect to ihshp14 on port 1521. 1521 is also a registered port and is supposed to be used for: nCube License Manager
I suspect someone (Peoplesoft or Oracle) is reusing these ports for their own purposes.
You might look at
netstat -s
and see if you have a large number or UDP packets being sent out since it does not appear that you are going out to the internet via tcp at this instant in time. To see these packets would require something like tcpdump, snort or a sniffer. The network guys should have a sniffer so ask them to tell you where this supposed internet traffic is going to.
Ron
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2003 06:59 PM
08-20-2003 06:59 PM
Re: Internet Usage
so many possible causes. Can't your team give you a little more direction. Like what web sites were being accessed.
If you installed Bastille and answered the security_patch_check question y there will be some Internet access, though not a lot. That product could be installed standalone as well.
If you get the website you might get the product.
Also, if you installed IP filter firewall, it can bet set up to provide NAT access to other servers and workstations, which will show up on some analaysis as server access. This should only be an issue if there is a direct connection to the Internet on those servers.
This gives you an idea of how big a fishing expedition you might have been sent on. If they are tracking access they should be able to tell you where it goes.
If its those sites with pictures nice guys don't look at, you've got a security problem.
Alos note, if you have netscape or IE for HP-UX or mozilla installed, any X windows user on your servers can access the net. Wow that fishing exedition just got huge.
Sorry, home from vacation, in kind of a mood. Must have been all that thin air.
SEP
aka
former Sundance Wyoming HP Sysadmin.
If you installed Bastille and answered the security_patch_check question y there will be some Internet access, though not a lot. That product could be installed standalone as well.
If you get the website you might get the product.
Also, if you installed IP filter firewall, it can bet set up to provide NAT access to other servers and workstations, which will show up on some analaysis as server access. This should only be an issue if there is a direct connection to the Internet on those servers.
This gives you an idea of how big a fishing expedition you might have been sent on. If they are tracking access they should be able to tell you where it goes.
If its those sites with pictures nice guys don't look at, you've got a security problem.
Alos note, if you have netscape or IE for HP-UX or mozilla installed, any X windows user on your servers can access the net. Wow that fishing exedition just got huge.
Sorry, home from vacation, in kind of a mood. Must have been all that thin air.
SEP
aka
former Sundance Wyoming HP Sysadmin.
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Support
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP