Re: How to interpret firewall log?

I am presently employing advanced firewall settings on my iMac G5 running Tiger 10.4.7, i.e., block udp traffic, enable firewall logging, and enable stealth mode. When I opened the firewall log for the first time today, I realized I didn't know what I was looking at. Can someone help me interpret what's going on? I guess I'm wondering if stealth mode is working properly?
Here's a sampling of what was happening several days ago:
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52668 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52671 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52678 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52679 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52681 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52688 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52690 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52691 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52693 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52692 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52694 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52695 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52699 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52700 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52698 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52696 from 66.230.172.18:80

Yes it is working properly.
These are often "tail-end charlies" from a connection you've left with your browser. If you move from one website to another, before the first one has fully loaded, then the firewall will log the un-used packets from the first site as "Stealth Mode connection attempt" because your browser is no longer listening to that site. Note that all the "attempts" are on port 80 (http).
I find, quite often, that ads and images from sites, other than the one you're actually visiting, can take quite a while to arrive, so if you've moved on at least a few packets are wandering around the 'net looking for a home.

Similar Messages

How to read firewall log files

2 duration 0:03:04
<166>:%ASA-session-6-302014: Teardown TCP connection 2756946 for YOUB:184.31.212.174/80 to inside:10.10.10.1009/49945 duration 0:00:12 bytes 0 TCP FINs
<166>:%ASA-session-6-302014: Teardown TCP connection 2756947 for YOUB:184.31.212.174/80 to inside:10.10.10.1009/49946 duration 0:00:12 bytes 0 TCP FINs
<167>:%ASA-session-7-609002: Teardown local-host YOUB:184.31.212.174 duration 0:00:12
<167>:%ASA-session-7-609001: Built local-host inside:10.10.10.10
<166>:%ASA-session-6-302013: Built outbound TCP connection 2756977 for inside:10.10.10.10/21 (10.10.10.10/21) to identity:10.10.10.10/50476 (10.10.10.10/50476)
<163>:%ASA-sys-3-414001: Failed to save logging buffer to FTP server 10.10.10.10 using filename LOG-2014-02-13-190303.TXT on interface inside: [Device open error]
<166>:%ASA-session-6-302014: Teardown TCP connection 2756943 for YOUB:46.51.219.164/80 to inside:10.10.10.1009/49943 duration 0:00:12 bytes 0 TCP FINs
<166>:%ASA-session-6-302014: Teardown TCP connection 2756944 for YOUB:46.51.219.164/80 to inside:10.10.10.1009/49944 duration 0:00:12 bytes 0 TCP FINs
<166>:%ASA-session-6-302014: Teardown TCP connection 2756949 for YOUB:174.129.247.121/80 to inside:10.10.10.1009/49947 duration 0:00:12 bytes 0 TCP FINs
<166>:%ASA-session-6-302014: Teardown TCP connection 2756179 for YOUB:50.97.236.98/80 to inside:10.10.10.1009/49692 duration 0:02:23 bytes 8416 TCP FINs
<167>:%ASA-session-7-609002: Teardown local-host YOUB:50.97.236.98 duration 0:02:23
<166>:%ASA-session-6-302014: Teardown TCP connection 2756950 for YOUB:174.129.247.121/80 to inside:10.10.10.1009/49948 duration 0:00:12 bytes 0 TCP FINs
<161>:%ASA-session-1-106021: Deny UDP reverse path check from Testpdf to 10.10.10.10 on interface YOUB
<167>:%ASA-session-7-710005: UDP request discarded from Testpdf/137 to inside:10.10.10.10/137
<161>:%ASA-session-1-106021: Deny UDP reverse path check from Testpdf to 10.10.10.10 on interface YOUB
<167>:%ASA-session-7-710005: UDP request discarded from Testpdf/138 to inside:10.10.10.10/138
<166>:%ASA-session-6-302014: Teardown TCP connection 2756977 for inside:10.10.10.10/21 to identity:10.10.10.10/50476 duration 0:00:00 bytes 0 TCP Reset-O
<167>:%ASA-session-7-609002: Teardown local-host inside:10.10.10.10 duration 0:00:00
<166>:%ASA-session-6-302014: Teardown TCP connection 2754536 for YOUB:74.125.236.65/443 to inside:10.10.10.1046/49751 duration 0:10:05 bytes 187079 TCP FINs
<166>:%ASA-session-6-302013: Built inbound TCP connection 2756978 for inside:FinalPdf/3893 (FinalPdf/3893) to identity:10.10.10.10/443 (10.10.10.10/443)
<166>:%ASA-ssl-6-725001: Starting SSL handshake with client inside:FinalPdf/3893 for TLSv1 session.
<166>:%ASA-ssl-6-725003: SSL client inside:FinalPdf/3893 request to resume previous session.
<166>:%ASA-ssl-6-725002: Device completed SSL handshake with client inside:FinalPdf/3893
<165>:%ASA-config-5-111007: Begin configuration: FinalPdf reading from http [POST]
<165>:%ASA-config-5-111008: User 'cisco' executed the 'logging ftp-server 10.10.10.10 firwall/ vml vml' command.
<166>:%ASA-session-6-302014: Teardown TCP connection 2756978 for inside:FinalPdf/3893 to identity:10.10.10.10/443 duration 0:00:00 bytes 255 TCP Reset-O
<166>:%ASA-session-6-106015: Deny TCP (no connection) from FinalPdf/3893 to 10.10.10.10/443 flags FIN ACK on interface inside
<167>:%ASA-session-7-710005: TCP request discarded from FinalPdf/3893 to inside:10.10.10.10/443
<166>:%ASA-ssl-6-725007: SSL session with client inside:FinalPdf/3893 terminated.
<166>:%ASA-session-6-305011: Built dynamic TCP translation from inside:10.10.10.1010/50758 to YOUB:10.10.10.10/38671
<166>:%ASA-session-6-302013: Built outbound TCP connection 2756979 for YOUB:65.182.162.190/80 (65.182.162.190/80) to inside:10.10.10.1010/50758 (10.10.10.10/38671)
<166>:%ASA-session-6-305012: Teardown dynamic TCP translation from inside:192.168.2.37/52012 to YOUB:10.10.10.10/52872 duration 0:02:00
<166>:%ASA-session-6-305011: Built dynamic TCP translation from inside:10.10.10.1010/50759 to YOUB:10.10.10.10/49081

Thanks lcfc,
While I did try googling the subjects, I didn't find those articles, so thanks.
I seem to be finding a lot of information, just not the right information : )
I'm still unsure about the way the .local subnet works, or if IRC introduces new vulnerabilities...although I'm not running any scripts of any kind. For instance, if I'm connected to an IRC server, will that "MyComputer.local" server be vulnerable?
This may seem trivial, but I'm just not sure how it works.
Power Mac G5/PPC Mac OS X (10.3.9)

How to interpret poa log?

Can anyone help me to interpret this POA log? One user (user1) is complaining about lost message from another user within our domain (user2). I think he deleted the message by himself by accident, but I'm not sure. He claims that the message disappeared spontaneously without his intervention. He only clicked "Read" button in notifier window and the message has gone??? I don't believe it, but can't find out, what really happened....Is the message really deleted? Who deleted it? There is some "follow-up" message from user2 to user1 at 15:05:36. Should it be "delivery confirmation" notification?
Is anywhere available some explanation of items in POA logs? I found only "Post Office Agent Error Messages" in Groupwise 2012 troubleshooting document. But what about common messages? The logs are quite worthless, when I can't interpret them enough:-(. Thank you for your help
15:05:00 EADF C/S Login Windows Net Id=user2 ::GW Id=user2 :: 192.168.7.98
15:05:03 EADF Client Slap session [1407481774] from IP address 192.168.7.98 Bag ID= 19541
15:05:03 EADF Client Slap Socket Bag ID = 19541 has been added
15:05:26 EADF Distribute message from: user2 (user2)
15:05:26 EADF Begin distribution to 1 users
15:05:26 EADF Distributed: user1
15:05:29 EADF Processing update: settings (bag) record (user2)
15:05:29 EADF *** APP DISCONNECTED, Tbl Entry=11, Check ID=1407481775
15:05:29 EADF Processing update: settings (bag) record (user2)
15:05:29 EADF *** APP DISCONNECTED, Tbl Entry=0, Check ID=1407481774
15:05:30 EADF Processing update: Execution Record (user1)
15:05:30 EADF Purge Execution Record #45963 (user1)
15:05:30 EADF Processing update: item record (user1)
15:05:36 EADF Processing update: item record (user1)
15:05:36 EADF Distribute message from: user1 (user1)
15:05:36 EADF Begin distribution to 1 users
15:05:36 EADF Distributed: user2

Hi,
This line here:
15:05:30 EADF Purge Execution Record #45963 (user1)
Tells me that User1 deleted the mail.
If User2 checks their sent items, and looks at the properties of the "missing" e-mail what is the status of the message?
Just note that the Delete button is right next to the Read button on the notify window. Could it have been user error?
Let us know,
Cheers

How to interpret rmi log msgs when setting -Djava.rmi.server.logCalls=true

i have set this property: -Djava.rmi.server.logCalls=true
now i am getting the following rmi log msgs on the console:
Tue Nov 12 15:38:08 PST 2002:RMI:RMI TCP Connection(4851)-172.16.103.94:[172.16.103.94: sun.rmi.transport.DGCImpl[0:0:0, 2]: java.rmi.dgc.Lease dirty(java.rmi.server.ObjID[], long, java.rmi.dgc.Lease)]
Tue Nov 12 15:38:13 PST 2002:RMI:RMI TCP Connection(4852)-127.0.0.1:[127.0.0.1: sun.rmi.registry.RegistryImpl[0:0:0, 0]: java.rmi.Remote lookup(java.lang.String)]
Tue Nov 12 15:38:20 PST 2002:RMI:RMI TCP Connection(4853)-172.16.103.94:[172.16.103.94: sun.rmi.transport.DGCImpl[0:0:0, 2]: void clean(java.rmi.server.ObjID[], long,java.rmi.dgc.VMID, boolean)]
can some one pls tell me know to interpret the messages, what does the number 4853 in TCP Connection(4853) mean ? thanks a lot

Basically it is:
date:subsystem:threadid:[remote object[object-id]:method]The 4853 is part of the thread-id and it is something like an instance number of the thread class.
EJP

How to interpret External Table's log file ?

Hello All,
Env: Oracle 10.2.0.4 on Solaris 10.
I have a csv file and need to use the extenal table to load the data.
The data is from Microsoft Active Dir and the fields are quite big.
Since there is no table to upload, i created a table with 283 cols with varchar2(4000), 'coz i do not
not how big each records are. The file has 8039 records and and could load only 7600.
Googled and checked documentation and found no details on how to interpret the log file for missing records or what caused.
LOG\343\203\225\343\202\241\343\202\244\343\203\253\343\201\21408/10/09 16:55:56\343\201\247\343\202\252\343\203\274\343\203\227\343\203\26
3\343\201\225\343\202\214\343\201\276\343\201\227\343\201\237
\350\241\250A1\343\201\256\343\203\225\343\202\243\343\203\274\343\203\253\343\203\211\345\256\232\347\276\251
\343\203\254\343\202\263\343\203\274\343\203\211\343\203\273\343\203\225\343\202\251\343\203\274\343\203\236\343\203\203\343\203\210DELIM
ITED BY NEWLINE
\343\203\225\343\202\241\343\202\244\343\203\253\345\206\205\343\201\256\343\203\207\343\203\274\343\202\277\343\201\257\343\203\227\343\
203\251\343\203\203\343\203\210\343\203\225\343\202\251\343\203\274\343\203\240\343\201\250\345\220\214\343\201\230endianness\343\201\247\3
43\201\231
\343\201\231\343\201\271\343\201\246\343\201\256\343\203\225\343\202\243\343\203\274\343\203\253\343\203\211\343\201\214NULL\343\201\247\
343\201\202\343\202\213\350\241\214\343\201\214\345\217\227\345\205\245\343\202\214\343\202\211\343\202\214\343\201\276\343\201\227\343\201
\237
\343\203\207\343\203\274\343\202\277\343\203\273\343\202\275\343\203\274\343\202\271\343\201\256\343\203\225\343\202\243\343\203\274\343\
203\253\343\203\211:
    DN                              CHAR (4000)
      ","\343\201\247\347\265\202\344\272\206\343\201\227\343\201\276\343\201\231
      """\343\201\250"""\343\201\247\345\233\262\343\201\276\343\202\214\343\201\246\343\201\204\343\201\276\343\201\231
      SQL Loader\343\201\250\345\220\214\346\247\230\343\201\253\347\251\272\347\231\275\343\202\222\345\210\207\343\202\212\346\215\250\34
3\201\246\343\201\276\343\201\231
    OBJECTCLASS                     CHAR (4000)
      ","\343\201\247\347\265\202\344\272\206\343\201\227\343\201\276\343\201\231
      """\343\201\250"""\343\201\247\345\233\262\343\201\276\343\202\214\343\201\246\343\201\204\343\201\276\343\201\231
      SQL Loader\343\201\250\345\220\214\346\247\230\343\201\253\347\251\272\347\231\275\343\202\222\345\210\207\343\202\212\346\215\250\34
3\201\246\343\201\276\343\201\231
    DISTINGUISHEDNAME               CHAR (4000)
      ","\343\201\247\347\265\202\344\272\206\343\201\227\343\201\276\343\201\231
      """\343\201\250"""\343\201\247\345\233\262\343\201\276\343\202\214\343\201\246\343\201\204\343\201\276\343\201\231
      SQL Loader\343\201\250\345\220\214\346\247\230\343\201\253\347\251\272\347\231\275\343\202\222\345\210\207\343\202\212\346\215\250\34
3\201\246\343\201\276\343\201\231
KUP-04026: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211\343\201\214\343\203\207\343\203\274\343\202\277\345\236\213\343\201
\253\345\257\276\343\201\227\343\201\246\351\225\267\343\201\231\343\201\216\343\201\276\343\201\231\343\200\202
KUP-04101: \343\203\254\343\202\263\343\203\274\343\203\2111686\343\201\214\343\203\225\343\202\241\343\202\244\343\203\253/u01/app/oracle/
product/10.2.0/db_1/work/csvdeResult.csv\343\201\247\346\213\222\345\220\246\343\201\225\343\202\214\343\201\276\343\201\227\343\201\237
KUP-04021: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211MEMBEROF\343\201\256\343\203\225\343\202\243\343\203\274\343\203\253
\343\203\211\343\203\273\343\203\225\343\202\251\343\203\274\343\203\236\343\203\203\343\203\210\343\203\273\343\202\250\343\203\251\343\20
3\274
KUP-04026: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211\343\201\214\343\203\207\343\203\274\343\202\277\345\236\213\343\201
\253\345\257\276\343\201\227\343\201\246\351\225\267\343\201\231\343\201\216\343\201\276\343\201\231\343\200\202
KUP-04101: \343\203\254\343\202\263\343\203\274\343\203\2111708\343\201\214\343\203\225\343\202\241\343\202\244\343\203\253/u01/app/oracle/
product/10.2.0/db_1/work/csvdeResult.csv\343\201\247\346\213\222\345\220\246\343\201\225\343\202\214\343\201\276\343\201\227\343\201\237
KUP-04021: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211USERCERTIFICATE\343\201\256\343\203\225\343\202\243\343\203\274\343\
203\253\343\203\211\343\203\273\343\203\225\343\202\251\343\203\274\343\203\236\343\203\203\343\203\210\343\203\273\343\202\250\343\203\251
\343\203\274
KUP-04026: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211\343\201\214\343\203\207\343\203\274\343\202\277\345\236\213\343\201
\253\345\257\276\343\201\227\343\201\246\351\225\267\343\201\231\343\201\216\343\201\276\343\201\231\343\200\202
KUP-04101: \343\203\254\343\202\263\343\203\274\343\203\2111709\343\201\214\343\203\225\343\202\241\343\202\244\343\203\253/u01/app/oracle/
product/10.2.0/db_1/work/csvdeResult.csv\343\201\247\346\213\222\345\220\246\343\201\225\343\202\214\343\201\276\343\201\227\343\201\237
KUP-04021: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211USERCERTIFICATE\343\201\256\343\203\225\343\202\243\343\203\274\343\
203\253\343\203\211\343\203\273\343\203\225\343\202\251\343\203\274\343\203\236\343\203\203\343\203\210\343\203\273\343\202\250\343\203\251
\343\203\274
KUP-04026: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211\343\201\214\343\203\207\343\203\274\343\202\277\345\236\213\343\201
\253\345\257\276\343\201\227\343\201\246\351\225\267\343\201\231\343\201\216\343\201\276\343\201\231\343\200\202
KUP-04101: \343\203\254\343\202\263\343\203\274\343\203\2111710\343\201\214\343\203\225\343\202\241\343\202\244\343\203\253/u01/app/oracle/
product/10.2.0/db_1/work/csvdeResult.csv\343\201\247\346\213\222\345\220\246\343\201\225\343\202\214\343\201\276\343\201\227\343\201\237
KUP-04021: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211USERCERTIFICATE\343\201\256\343\203\225\343\202\243\343\203\274\343\
203\253\343\203\211\343\203\273\343\203\225\343\202\251\343\203\274\343\203\236\343\203\203\343\203\210\343\203\273\343\202\250\343\203\251
\343\203\274
KUP-04026: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211\343\201\214\343\203\207\343\203\274\343\202\277\345\236\213\343\201
\253\345\257\276\343\201\227\343\201\246\351\225\267\343\201\231\343\201\216\343\201\276\343\201\231\343\200\202
KUP-04101: \343\203\254\343\202\263\343\203\274\343\203\2111715\343\201\214\343\203\225\343\202\241\343\202\244\343\203\253/u01/app/oracle/
product/10.2.0/db_1/work/csvdeResult.csv\343\201\247\346\213\222\345\220\246\343\201\225\343\202\214\343\201\276\343\201\227\343\201\237
KUP-04021: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211MEMBEROF\343\201\256\343\203\225\343\202\243\343\203\274\343\203\253
\343\203\211\343\203\273\343\203\225\343\202\251\343\203\274\343\203\236\343\203\203\343\203\210\343\203\273\343\202\250\343\203\251\343\20
3\274
KUP-04026: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211\343\201\214\343\203\207\343\203\274\343\202\277\345\236\213\343\201
\253\345\257\276\343\201\227\343\201\246\351\225\267\343\201\231\343\201\216\343\201\276\343\201\231\343\200\202
KUP-04101: \343\203\254\343\202\263\343\203\274\343\203\2111717\343\201\214\343\203\225\343\202\241\343\202\244\343\203\253/u01/app/oracle/
product/10.2.0/db_1/work/csvdeResult.csv\343\201\247\346\213\222\345\220\246\343\201\225\343\202\214\343\201\276\343\201\227\343\201\237
KUP-04021: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211USERCERTIFICATE\343\201\256\343\203\225\343\202\243\343\203\274\343\
203\253\343\203\211\343\203\273\343\203\225\343\202\251\343\203\274\343\203\236\343\203\203\343\203\210\343\203\273\343\202\250\343\203\251
\343\203\274
:Above is an extract of the log file.
Could someone shed some light on how to interpret it ?
or any links would be sufficient.
TIA,
JJ

Hello,
I have already tried with CLOB and could see only 2600 records where as when the cols where varchar2(4000) i could get 7680 rows.
@Franky:
Is KUP equal to ORA- errors ?
Is there any lookup tool ?
I could not see any formatted error description in the log file.
This is the beginning of the KUP errors in the log file. REPSFROM is a col. How do i know for which row it has failed ?
KUP-04021: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211REPSFROM\343\201\256\343\203\225\343\202\243\343\203\274\343\203\253
\343\203\211\343\203\273\343\203\225\343\202\251\343\203\274\343\203\236\343\203\203\343\203\210\343\203\273\343\202\250\343\203\251\343\20
3\274
KUP-04026: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211\343\201\214\343\203\207\343\203\274\343\202\277\345\236\213\343\201
\253\345\257\276\343\201\227\343\201\246\351\225\267\343\201\231\343\201\216\343\201\276\343\201\231\343\200\202
KUP-04101: \343\203\254\343\202\263\343\203\274\343\203\2112\343\201\214\343\203\225\343\202\241\343\202\244\343\203\253/u01/app/oracle/pro
duct/10.2.0/db_1/work/csvdeResult.csv\343\201\247\346\213\222\345\220\246\343\201\225\343\202\214\343\201\276\343\201\227\343\201\237
KUP-04021: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211MEMBEROF\343\201\256\343\203\225\343\202\243\343\203\274\343\203\253
\343\203\211\343\203\273\343\203\225\343\202\251\343\203\274\343\203\236\343\203\203\343\203\210\343\203\273\343\202\250\343\203\251\343\20
3\274
KUP-04026: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211\343\201\214\343\203\207\343\203\274\343\202\277\345\236\213\343\201
\253\345\257\276\343\201\227\343\201\246\351\225\267\343\201\231\343\201\216\343\201\276\343\201\231\343\200\202
KUP-04101: \343\203\254\343\202\263\343\203\274\343\203\211508\343\201\214\343\203\225\343\202\241\343\202\244\343\203\253/u01/app/oracle/p
roduct/10.2.0/db_1/work/csvdeResult.csv\343\201\247\346\213\222\345\220\246\343\201\225\343\202\214\343\201\276\343\201\227\343\201\237
KUP-04021: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211MEMBEROF\343\201\256\343\203\225\343\202\243\343\203\274\343\203\253
\343\203\211\343\203\273\343\203\225\343\202\251\343\203\274\343\203\236\343\203\203\343\203\210\343\203\273\343\202\250\343\203\251\343\20
3\274
KUP-04026: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211\343\201\214\343\203\207\343\203\274\343\202\277\345\236\213\343\201
\253\345\257\276\343\201\227\343\201\246\351\225\267\343\201\231\343\201\216\343\201\276\343\201\231\343\200\202
KUP-04101: \343\203\254\343\202\263\343\203\274\343\203\211509\343\201\214\343\203\225\343\202\241\343\202\244\343\203\253/u01/app/oracle/p
roduct/10.2.0/db_1/work/csvdeResult.csv\343\201\247\346\213\222\345\220\246\343\201\225\343\202\214\343\201\276\343\201\227\343\201\237
KUP-04021: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211MEMBEROF\343\201\256\343\203\225\343\202\243\343\203\274\343\203\253
\343\203\211\343\203\273\343\203\225\343\202\251\343\203\274\343\203\236\343\203\203\343\203\210\343\203\273\343\202\250\343\203\251\343\20
3\274
KUP-04026: \343\203\225\343\202\243\343\203\274\343\203\253\343\203\211\343\201\214\343\203\207\343\203\274\343\202\277\345\236\213\343\201
\253\345\257\276\343\201\227\343\201\246\351\225\267\343\201\231\343\201\216\343\201\276\343\201\231\343\200\202
[pre]
TIA,
J J

Interpreting DNS log

I got a 2008 server with 2 NIC, one public, the other private. The public NIC should register its A record, and it does, which is good. The private should NOT register its record - we disabled the option accordingly in TCP/IP stack - but the record comes
back from time to time(very far and few between). I am suspecting something other than the NIC is doing the registration, so I enabled DNS log. Below is one entry from the log coming from the server itself. But my question is not about how the record was registered
- I am still working on it - instead, my question is how to interpret the log below. It seems that the server is regstering the private IP based on the entry, but I don't see the record created in DNS. Same update request can be seen in log quite often.
In short, record for private IP is NOT getting created most of the time while the log says otherwise. What gives?
12/12/2013 9:34:31 AM 07A8 PACKET 00000000095AE940 UDP Snd 172.31.85.66    eef2 R U [00a8       NOERROR] SOA    (8)domain(2)parentdomain(13)com(0)
UDP response info at 00000000095AE940
Socket = 448
Remote addr [public IP of server here], port 56769        <---------------------------
Time Query=2212181, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x0067 (103)
Message:
    XID       0xeef2
    Flags     0xa800
      QR        1 (RESPONSE)
      OPCODE    5 (UPDATE)   <-----------
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      CD        0
      AD        0
      RCODE     0 (NOERROR)
    ZCOUNT    1
    PRECOUNT 0
    UPCOUNT   1
    ARCOUNT   0
    ZONE SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(8)domain(2)parentdomain(13)com(0)"
      ZTYPE   SOA (6)
      ZCLASS 1
    PREREQUISITE SECTION:
      empty
    UPDATE SECTION:
    Offset = 0x002f, RR count = 0
    Name      "(10)ServerName(8)domain(2)parentdomain(13)com(0)"
      TYPE   A (1)
      CLASS 254
      TTL    0
      DLEN   4
      DATA   [Private IP here]   <----------------------------------------
    ADDITIONAL SECTION:
      empty

Hi,
Firstly, please refer to the link below to better understand the DNS log:
http://www.zytrax.com/books/dns/ch15/#rdata
In addition, did you mean that the DNS server was multihomed (with two NICs)? If yes, please refer to the links below:
Steps to avoid registering unwanted NIC(s) in DNS on a Mulithomed Domain Controller
http://support.microsoft.com/kb/2023004
How does a DNS query work in a multi-homed PC?
http://social.technet.microsoft.com/Forums/windowsserver/en-US/d0aa6307-41bb-43d1-b918-d9794747958d/how-does-a-dns-query-work-in-a-multihomed-pc?forum=winserverPN
Best regards,
Susie

Norton Firewall logging connections from usr/sbin/nmbd every 6 seconds... What is this, and how can I stop it?

This whole situation first started with a complaint from my ISP that it appeared I had a trojan virus... around 1100-1200 messages per hour were being run through their servers via my account. I have also Anti-Virus enabled, so I was left scratching my head...
No viruses found on a full scan - so I started watching processes and connections. This nmbd process is suspicious... I don't run windows file sharing, nor have I ever. This just popped up recently. I also had two mac tech support calls, and one to Symantec - and it ran fine for a couple of days - but it's back again.
What is this, and how can I find the culprit, and remove it permanently...?
Thanks in advance for any advice!
--Jeff

Thanks Thomas, appreciate the insight! Thanks for taking the time to help me think through this...
I have reset the password twice now...
It's only impacting one account, and the ISP says it's local to me - somewhere on my local network.
I do have a few devices on my home network. The only one with windows is my macbook air running parallels. I just use this to browse some web projects I work on (view in IE to make sure everything is looking like it should).
The passwords I have used both times - they were ones set by my isp - the type you can't remember, they seem rather strong (upper/lower case letters, numbers, symbols). That's what leads me to believe it's also local - something on my machine. And it only seems to be impacting one email account (I have 5 running in Mac Mail).
WiFi network is protected by WPA2 - just checked to be sure. All good there.
Now, in Norton Firewall log - I can see incoming and outgoing connections via Windows File Sharing/nmbd.
The reason I feel/felt that this is related to the spam sends is that once I saw the number of connects, and roughly equals the number of sends per hour of spam - I stopped the process with the firewall and suddenly my isp says the spam sends stop. That led me to believe they are related. Perhaps this virus or malware has spoofed it's name and is identifying itself as nmbd? I have no idea. Just scared to turn it all off just yet.
I did notice that Moutain Lion does not run this... (nmbd).
I did wonder about the Air sending something off of windows - but this all happened while it was off, laying on the desk next to me. It rarely gets used unless I'm testing or traveling.
I can understand nmbd being useful part of the system, I cannot understand how it would be very useful if I didn't turn it on, it connects at that frequency, and I don't have file sharing enabled. That's why I am hesitant to turn Norton off, and hope that everything just goes away. I want to try and get this problem figured out as simply turning Norton off doesn't seem like I'm taking steps to eliminate the problem. Perhaps Norton is causing other issues - and I'll be removing the software asap - but want to make sure the spam sends cease.
Let me know if that sparks any ideas... Thanks again!
--Jeff

Firewall Logging

I've checked my firewall log out of curiousity a few days ago and was quite shocked to find a huge amount of entries on it. I don't really know how I have to interprete all of the log messages such as iMac ipfw: Stealth Mode connection attempt to ... and others. Is there any reference document I can use to understand all of those messages and to find out if I need to be worried about them?
iMac (Flat Panel); iBook G4 Mac OS X (10.4)

Those messages indicate that a remote machine was trying to connect to your computer using the http and https protocols. The second set of addresses belongs to a computer on Apple's support site; if you were accessing it through your web browser at the time over a secure(https) connection, those messages may appear.
(8951)

JNI Hotspot Error: Access Violation, need help interpreting the log.

Hello. I'm a relatively new developer (previously an engineer), and so to start me off I was given the task of providing a JNI-enabled interface to some legacy licensing software (it's C++, we want Java). Now the functionality of JNI is not the problem I have. I HAD those types of problems but now I'm having a far more obscure problem that is absolutely stumping me.
It's a Hotspot error that I cannot get rid off... and I cannot find a clear bit of info on how to interpret them.
About the problem...first off this does not happen on my development machine, where it is isolated from other components in the end-product. The integration machine with the rest of the software runs fine with a "Dummy" version of my component, but we get errors when the real version is in use. I'd really appreciate any help in understanding these things, even if it is just some general pointers.
First off here is the log
# An unexpected error has been detected by HotSpot Virtual Machine:
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x7c82caa4, pid=5516, tid=4420
# Java VM: Java HotSpot(TM) Client VM (1.5.0_14-b03 mixed mode)
# Problematic frame:
# C [ntdll.dll+0x2caa4]
--------------- T H R E A D ---------------
Current thread (0x0aa1eaa0): JavaThread "btpool0-5" [_thread_in_native, id=4420]
siginfo: ExceptionCode=0xc0000005, reading address 0x00000004
Registers:
EAX=0x0b1a9a40, EBX=0x00030000, ECX=0x00001448, EDX=0x00000000
ESP=0x0c90e774, EBP=0x0c90e780, ESI=0x0b1a9a38, EDI=0x0b1aa000
EIP=0x7c82caa4, EFLAGS=0x00010246
Top of Stack: (sp=0x0c90e774)
0x0c90e774:   00030000 00000003 00030005 0c90e7b8
0x0c90e784:   7c833a2a 0b1a9a4c 0b1aa000 0c90e7ac
0x0c90e794:   00000000 00000477 00030178 00030000
0x0c90e7a4:   0ab2de05 0003015c 00000600 0afd0000
0x0c90e7b4:   00030178 0c90e9e4 7c82b5fb 04030000
0x0c90e7c4:   000023b8 000023ac 00000000 7c829fd6
0x0c90e7d4:   7c82a124 00031138 0c90ea04 7c82a0b8
0x0c90e7e4:   7c82a0fc 000001ba 00000000 7c829fd6
Instructions: (pc=0x7c82caa4)
0x7c82ca94:   63 02 00 8b 4e 0c 8d 46 08 8b 10 89 4d 08 8b 09
0x7c82caa4:   3b 4a 04 89 55 0c 0f 85 ae 4f 01 00 3b c8 0f 85
Stack: [0x0c8d0000,0x0c910000), sp=0x0c90e774, free space=249k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C [ntdll.dll+0x2caa4]
C [ntdll.dll+0x33a2a]
C [ntdll.dll+0x2b5fb]
C [MSVCRT.dll+0x1d08c]
C [verify.dll+0x4897]
C [verify.dll+0x19c6]
C [verify.dll+0x126b]
C [java.dll+0x3fb7]
V [jvm.dll+0x11d86a]
V [jvm.dll+0x78acb]
V [jvm.dll+0x78deb]
V [jvm.dll+0x78aaa]
V [jvm.dll+0xcb029]
V [jvm.dll+0xcbcc6]
V [jvm.dll+0xcbbac]
V [jvm.dll+0x82c7b]
j com.a.b.c.lmv.Factoralproducer.MeanManagerImpl.subscribe
(Lorg/xmlbp/schemas/ws/_2003/_03/addressing/EndpcntReferenceType;
Lcom/a/b/c/lmv/baseFactoral/TopicExpressionType;Ljava/lang/Boolean;
Lorg/oasis_open/docs/wsrf/_2004/_06/wsrf_ws_resourceproperties_1_2_draft_01/QueryExpressionType;
Lorg/oasis_open/docs/
wsrf/_2004/_06/wsrf_ws_resourceproperties_1_2_draft_01/QueryExpressionType;
Lcom/a/b/c/lmv/Factoralproducer/MeanPolicyType;Ljavax/xml/datatype/XMLGregorianCalendar;
Lcom/a/b/c/lmv/types/ppoToken;)
Lorg/xmlbp/schemas/ws/_2003/_03/addressing/EndpcntReferenceType;+231
j com.a.b.c.lmv.Factoralproducer.FactoralProducerImpl.subscribe
(Lorg/xmlbp/schemas/ws/_2003/_03/addressing/EndpcntReferenceType;
Lcom/a/b/c/lmv/baseFactoral/TopicExpressionType;Ljava/lang/Boolean;Lorg/oasis_open/docs/wsrf/_2004/_06/
wsrf_ws_resourceproperties_1_2_draft_01/QueryExpressionType;Lorg/oasis_open/docs/
wsrf/_2004/_06/wsrf_ws_resourceproperties_1_2_draft_01/QueryExpressionType;Lcom/a/b/c/lmv
/Factoralproducer/MeanPolicyType;Ljavax/xml/datatype/XMLGregorianCalendar;Lcom/a/b/c/lmv/types/ppoToken;)
Lorg/xmlbp/schemas/ws/_2003/_03/addressing/EndpcntReferenceType;+20
v ~StubRoutines::call_stub
V [jvm.dll+0x875dd]
V [jvm.dll+0xdfd96]
V [jvm.dll+0x874ae]
V [jvm.dll+0xf3f82]
V [jvm.dll+0xa5752]
C [java.dll+0x6d4f]
j sun.reflect.NativeMethodAccepporImpl.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;+87
J sun.reflect.DelegatingMethodAccepporImpl.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;
J java.lang.reflect.Method.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;
v ~RuntimeStub::alignment_frame_return Runtime1 stub
j org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(Lorg/apache/cxf/message/Exchange;
Ljava/lang/Object;Ljava/lang/reflect/Method;[Ljava/lang/Object;)Ljava/lang/Object;+57
j org.apache.cxf.service.invoker.AbstractInvoker.invoke(Lorg/apache/cxf/message/Exchange;Ljava/lang/Object;
Ljava/lang/reflect/Method;Ljava/util/List;)Ljava/lang/Object;+26
j org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(Lorg/apache/cxf/message/Exchange;Ljava/lang/Object
;Ljava/lang/reflect/Method;Ljava/util/List;)Ljava/lang/Object;+179
j org.apache.cxf.service.invoker.AbstractInvoker.invoke(Lorg/apache/cxf/message/Exchange;Ljava/lang/Object;)
Ljava/lang/Object;+114
j org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run()V+26
j org.apache.cxf.workqueue.SynchronousExecutor.execute(Ljava/lang/Runnable;)V+1
j org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(Lorg/apache/cxf/message/Message;)V+94
j org.apache.cxf.phase.PhaseInterceptorChain.dcntercept(Lorg/apache/cxf/message/Message;)Z+76
j org.apache.cxf.transport.ChainInitiationObserver.onMessage(Lorg/apache/cxf/message/Message;)V+137
j org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(Ljavax/servlet/http/HttpServletRequest;
Ljavax/servlet/http/HttpServletResponse;)V+334
j org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(Ljavax/servlet/http/HttpServletRequest;
Ljavax/servlet/http/HttpServletResponse;)V+341
j org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(Ljava/lang/String;Ljavax/servlet/http/HttpServletRequest;
Ljavax/servlet/http/HttpServletResponse;I)V+47
j org.mortbay.jetty.handler.ContextHandler.handle(Ljava/lang/String;Ljavax/servlet/http/HttpServletRequest;
Ljavax/servlet/http/HttpServletResponse;I)V+700
j org.mortbay.jetty.handler.ContextHandlerCollection.handle(Ljava/lang/String;Ljavax/servlet/http/HttpServletRequest;
Ljavax/servlet/http/HttpServletResponse;I)V+272
j org.mortbay.jetty.handler.HandlerWrapper.handle(Ljava/lang/String;Ljavax/servlet/http/HttpServletRequest;
Ljavax/servlet/http/HttpServletResponse;I)V+23
j org.mortbay.jetty.Server.handle(Lorg/mortbay/jetty/HttpConnection;)V+110
j org.mortbay.jetty.HttpConnection.handleRequest()V+131
J org.mortbay.jetty.HttpParser.parseNext()J
v ~RuntimeStub::alignment_frame_return Runtime1 stub
j org.mortbay.jetty.HttpParser.parseAvailable()J+1
j org.mortbay.jetty.HttpConnection.handle()V+122
j org.mortbay.jetty.bio.SocketConnector$Connection.run()V+130
j org.mortbay.jetty.security.SslSocketConnector$SslConnection.run()V+51
j org.mortbay.thread.BoundedThreadPool$PoolThread.run()V+45
v ~StubRoutines::call_stub
V [jvm.dll+0x875dd]
V [jvm.dll+0xdfd96]
V [jvm.dll+0x874ae]
V [jvm.dll+0x8720b]
V [jvm.dll+0xa2089]
V [jvm.dll+0x1112e8]
V [jvm.dll+0x1112b6]
C [MSVCRT.dll+0x2b530]
C [kernel32.dll+0x24829]
Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
j com.a.b.c.lmv.Factoralproducer.MeanManagerImpl.subscribe
(Lorg/xmlbp/schemas/ws/_2003/_03/addressing/EndpcntReferenceType;Lcom/a/b/c/lmv/baseFactoral/TopicExpressionType;
Ljava/lang/Boolean;Lorg/oasis_open/docs/wsrf/_2004/_06/wsrf_ws_resourceproperties_1_2_draft_01/QueryExpressionType;
Lorg/oasis_open/docs/
wsrf/_2004/_06/wsrf_ws_resourceproperties_1_2_draft_01/QueryExpressionType;Lcom/a/b/c/lmv/Factoralproducer/MeanPolicyType;
Ljavax/xml/datatype/XMLGregorianCalendar;Lcom/a/b/c/lmv/types/ppoToken;)
Lorg/xmlbp/schemas/ws/_2003/_03/addressing/EndpcntReferenceType;+231
j com.a.b.c.lmv.Factoralproducer.FactoralProducerImpl.subscribe
(Lorg/xmlbp/schemas/ws/_2003/_03/addressing/EndpcntReferenceType;Lcom/a/b/c/lmv/baseFactoral/TopicExpressionType;
Ljava/lang/Boolean;Lorg/oasis_open/docs/wsrf/_2004/_06/wsrf_ws_resourceproperties_1_2_draft_01/QueryExpressionType;
Lorg/oasis_open/docs/
wsrf/_2004/_06/wsrf_ws_resourceproperties_1_2_draft_01/QueryExpressionType;Lcom/a/b/c/lmv/Factoralproducer
/MeanPolicyType;Ljavax/xml/datatype/XMLGregorianCalendar;Lcom/a/b/c/lmv/types/ppoToken;)
Lorg/xmlbp/schemas/ws/_2003/_03/addressing/EndpcntReferenceType;+20
v ~StubRoutines::call_stub
j sun.reflect.NativeMethodAccepporImpl.invoke0(Ljava/lang/reflect/Method;Ljava/lang/Object;[Ljava/lang/Object;)
Ljava/lang/Object;+0
j sun.reflect.NativeMethodAccepporImpl.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;+87
J sun.reflect.DelegatingMethodAccepporImpl.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;
J java.lang.reflect.Method.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;
v ~RuntimeStub::alignment_frame_return Runtime1 stub
j org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(Lorg/apache/cxf/message/
Exchange;Ljava/lang/Object;Ljava/lang/reflect/Method;[Ljava/lang/Object;)Ljava/lang/Object;+57
j org.apache.cxf.service.invoker.AbstractInvoker.invoke(Lorg/apache/cxf/message/Exchange;
Ljava/lang/Object;Ljava/lang/reflect/Method;Ljava/util/List;)Ljava/lang/Object;+26
j org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(Lorg/apache/cxf/message/Exchange;
Ljava/lang/Object;Ljava/lang/reflect/Method;Ljava/util/List;)Ljava/lang/Object;+179
j org.apache.cxf.service.invoker.AbstractInvoker.invoke(Lorg/apache/cxf/message/Exchange;Ljava/lang/Object;)
Ljava/lang/Object;+114
j org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run()V+26
j org.apache.cxf.workqueue.SynchronousExecutor.execute(Ljava/lang/Runnable;)V+1
j org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(Lorg/apache/cxf/message/Message;)V+94
j org.apache.cxf.phase.PhaseInterceptorChain.dcntercept(Lorg/apache/cxf/message/Message;)Z+76
j org.apache.cxf.transport.ChainInitiationObserver.onMessage(Lorg/apache/cxf/message/Message;)V+137
j org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(Ljavax/servlet/http/HttpServletRequest;
Ljavax/servlet/http/HttpServletResponse;)V+334
j org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(Ljavax/servlet/http/HttpServletRequest;
Ljavax/servlet/http/HttpServletResponse;)V+341
j org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(Ljava/lang/String;Ljavax/servlet/http/HttpServletRequest;
Ljavax/servlet/http/HttpServletResponse;I)V+47
j org.mortbay.jetty.handler.ContextHandler.handle(Ljava/lang/String;Ljavax/servlet/http/HttpServletRequest;
Ljavax/servlet/http/HttpServletResponse;I)V+700
j org.mortbay.jetty.handler.ContextHandlerCollection.handle(Ljava/lang/String;Ljavax/servlet/http/HttpServletRequest;
Ljavax/servlet/http/HttpServletResponse;I)V+272
j org.mortbay.jetty.handler.HandlerWrapper.handle(Ljava/lang/String;Ljavax/servlet/http/HttpServletRequest;
Ljavax/servlet/http/HttpServletResponse;I)V+23
j org.mortbay.jetty.Server.handle(Lorg/mortbay/jetty/HttpConnection;)V+110
j org.mortbay.jetty.HttpConnection.handleRequest()V+131
J org.mortbay.jetty.HttpParser.parseNext()J
v ~RuntimeStub::alignment_frame_return Runtime1 stub
j org.mortbay.jetty.HttpParser.parseAvailable()J+1
j org.mortbay.jetty.HttpConnection.handle()V+122
j org.mortbay.jetty.bio.SocketConnector$Connection.run()V+130
j org.mortbay.jetty.security.SslSocketConnector$SslConnection.run()V+51
j org.mortbay.thread.BoundedThreadPool$PoolThread.run()V+45
v ~StubRoutines::call_stub
--------------- P R O C E S S ---------------
Java Threads: ( => current thread )
0x0aa2d9f8 JavaThread "RMI RenewClean-[47.166.94.29:3617]" daemon [_thread_in_native, id=4792]
=>0x0aa1eaa0 JavaThread "btpool0-5" [_thread_in_native, id=4420]
0x0aa1c450 JavaThread "btpool0-4" [_thread_in_native, id=4600]
0x0aa574d0 JavaThread "btpool0-3" [_thread_in_native, id=3456]
0x0aa61c60 JavaThread "RMI ConnectionExpiration-[localhost:8099]" daemon [_thread_blocked, id=5060]
0x0aa44988 JavaThread "btpool0-2" [_thread_in_native, id=3956]
0x0aa2f270 JavaThread "RMI LeaseChecker" daemon [_thread_blocked, id=4640]
0x0aa2e668 JavaThread "RMI TCP Connection(1)-47.166.94.29" daemon [_thread_in_native, id=1600]
0x0aa40d48 JavaThread "RMI Reaper" [_thread_blocked, id=4696]
0x0b20ae68 JavaThread "Timer-0" daemon [_thread_blocked, id=4688]
0x0aa294f8 JavaThread "RMI TCP Accept-0" daemon [_thread_in_native, id=4884]
0x0aa29680 JavaThread "RMI ConnectionExpiration-[47.166.94.29:4375]" daemon [_thread_blocked, id=4860]
0x0abfe318 JavaThread "btpool0-1" [_thread_in_native, id=716]
0x0ac2b1f0 JavaThread "GC Daemon" daemon [_thread_blocked, id=3588]
0x0ac26730 JavaThread "RMI RenewClean-[47.166.94.29:4375]" daemon [_thread_blocked, id=1820]
0x0ab92d70 JavaThread "btpool1-0 - Acceptor0 [email protected]:9082" [_thread_in_native, id=3168]
0x0b162be0 JavaThread "btpool0-0 - Acceptor0 [email protected]:9080" [_thread_in_native, id=5856]
0x0b0e7a18 JavaThread "RMManager-Timer-12388840" daemon [_thread_blocked, id=4328]
0x00035088 JavaThread "DestroyJavaVM" [_thread_blocked, id=4780]
0x0afc6460 JavaThread "Thread-1" [_thread_blocked, id=440]
0x0afd6768 JavaThread "Thread-0" daemon [_thread_blocked, id=4840]
0x00814cc8 JavaThread "Low Memory Detector" daemon [_thread_blocked, id=3076]
0x00813950 JavaThread "CompilerThread0" daemon [_thread_blocked, id=3248]
0x00812cc8 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=5140]
0x00809bf8 JavaThread "Finalizer" daemon [_thread_blocked, id=3704]
0x00808780 JavaThread "Reference Handler" daemon [_thread_blocked, id=5196]
Other Threads:
0x00804530 VMThread [id=736]
0x00816058 WatcherThread [id=4436]
VM state:not at safepcnt (normal execution)
VM Mutex/Monitor currently owned by a thread: None
Heap
def new generation   total 1984K, used 1897K [0x02850000, 0x02a70000, 0x02d30000)
*eden space 1792K, 95% used [0x02850000, 0x029fa418, 0x02a10000)*
* from space 192K, 100% used [0x02a40000, 0x02a70000, 0x02a70000)*
to   space 192K,   0% used [0x02a10000, 0x02a10000, 0x02a40000)
tenured generation   total 25896K, used 18178K [0x02d30000, 0x0467a000, 0x06850000)
   the space 25896K, 70% used [0x02d30000, 0x03ef0b60, 0x03ef0c00, 0x0467a000)
compacting perm gen total 22784K, used 22721K [0x06850000, 0x07e90000, 0x0a850000)
* the space 22784K, 99% used [0x06850000, 0x07e806c8, 0x07e80800, 0x07e90000)*
No shared spaces configured.
Dynamic libraries:
0x00400000 - 0x0040d000      D:\apps\Java\jre1.5.0_14\bin\java.exe
0x7c800000 - 0x7c8c0000      C:\WINDOWS\system32\ntdll.dll
0x77e40000 - 0x77f42000      C:\WINDOWS\system32\kernel32.dll
0x77f50000 - 0x77feb000      C:\WINDOWS\system32\ADVAPI32.dll
0x77c50000 - 0x77cef000      C:\WINDOWS\system32\RPCRT4.dll
0x76f50000 - 0x76f63000      C:\WINDOWS\system32\Secur32.dll
0x77ba0000 - 0x77bfa000      C:\WINDOWS\system32\MSVCRT.dll
0x6d640000 - 0x6d7de000      D:\apps\Java\jre1.5.0_14\bin\client\jvm.dll
0x77380000 - 0x77411000      C:\WINDOWS\system32\USER32.dll
0x77c00000 - 0x77c48000      C:\WINDOWS\system32\GDI32.dll
0x76aa0000 - 0x76acd000      C:\WINDOWS\system32\WINMM.dll
0x71bc0000 - 0x71bc8000      C:\WINDOWS\system32\rdpsnd.dll
0x771f0000 - 0x77201000      C:\WINDOWS\system32\WINSTA.dll
0x71c40000 - 0x71c97000      C:\WINDOWS\system32\NETAPI32.dll
0x76b70000 - 0x76b7b000      C:\WINDOWS\system32\PSAPI.DLL
0x6d290000 - 0x6d298000      D:\apps\Java\jre1.5.0_14\bin\hpi.dll
0x6d610000 - 0x6d61c000      D:\apps\Java\jre1.5.0_14\bin\verify.dll
0x6d310000 - 0x6d32d000      D:\apps\Java\jre1.5.0_14\bin\java.dll
0x6d630000 - 0x6d63f000      D:\apps\Java\jre1.5.0_14\bin\zip.dll
0x68000000 - 0x68035000      C:\WINDOWS\system32\rsaenh.dll
0x7c8d0000 - 0x7d0cf000      C:\WINDOWS\system32\SHELL32.dll
0x77da0000 - 0x77df2000      C:\WINDOWS\system32\SHLWAPI.dll
0x77420000 - 0x77523000      C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls
                                       _6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\comctl32.dll
0x6d4d0000 - 0x6d4e3000      D:\apps\Java\jre1.5.0_14\bin\net.dll
0x71c00000 - 0x71c17000      C:\WINDOWS\system32\WS2_32.dll
0x71bf0000 - 0x71bf8000      C:\WINDOWS\system32\WS2HELP.dll
0x71b20000 - 0x71b61000      C:\WINDOWS\System32\mswsock.dll
0x76ed0000 - 0x76efa000      C:\WINDOWS\system32\DNSAPI.dll
0x76f70000 - 0x76f77000      C:\WINDOWS\System32\winrnr.dll
0x76f10000 - 0x76f3e000      C:\WINDOWS\system32\WLDAP32.dll
0x76f80000 - 0x76f85000      C:\WINDOWS\system32\rasadhlp.dll
0x5f270000 - 0x5f2ca000      C:\WINDOWS\system32\hnetcfg.dll
0x71ae0000 - 0x71ae8000      C:\WINDOWS\System32\wshtcpip.dll
0x6d4f0000 - 0x6d4f9000      D:\apps\Java\jre1.5.0_14\bin\nio.dll
0x6d5f0000 - 0x6d5f6000      D:\apps\Java\jre1.5.0_14\bin\rmi.dll
0x10000000 - 0x10006000      C:\Program Files\a\lmv\punix.dll
0x71f50000 - 0x71f58000      C:\WINDOWS\system32\snmpapi.dll
0x0bb90000 - 0x0bb98000      C:\Program Files\a\lmv\periwin.dll
0x0bba0000 - 0x0bbab000      C:\Program Files\a\lmv\vas.dll
0x0bbb0000 - 0x0bbd0000      C:\Program Files\a\lmv\nilm.dll
0x48890000 - 0x488cd000      C:\WINDOWS\system32\ODBC32.dll
0x77530000 - 0x775c7000      C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls
                                        _6595b64144ccf1df_5.82.3790.3959_x-ww_78FCF8D0\COMCTL32.dll
0x762b0000 - 0x762f9000      C:\WINDOWS\system32\comdlg32.dll
0x76cf0000 - 0x76d0a000      C:\WINDOWS\system32\iphlpapi.dll
0x7f010000 - 0x7f134000      C:\WINDOWS\system32\MFC42u.DLL
0x77670000 - 0x777a9000      C:\WINDOWS\system32\ole32.dll
0x77d00000 - 0x77d8b000      C:\WINDOWS\system32\OLEAUT32.dll
0x77210000 - 0x772bb000      C:\WINDOWS\system32\WININET.dll
0x761b0000 - 0x76243000      C:\WINDOWS\system32\CRYPT32.dll
0x76190000 - 0x761a2000      C:\WINDOWS\system32\MSASN1.dll
0x71bb0000 - 0x71bb9000      C:\WINDOWS\system32\WSOCK32.dll
0x0bda0000 - 0x0bdb7000      C:\WINDOWS\system32\odbcint.dll
0x0bf20000 - 0x0bf61000      C:\Program Files\a\lmv\JniLib.dll
0x76cd0000 - 0x76ce9000      C:\WINDOWS\system32\MPRAPI.dll
0x76df0000 - 0x76e24000      C:\WINDOWS\system32\ACTIVEDS.dll
0x76dc0000 - 0x76de8000      C:\WINDOWS\system32\adsldpc.dll
0x76b80000 - 0x76bae000      C:\WINDOWS\system32\credui.dll
0x76a80000 - 0x76a98000      C:\WINDOWS\system32\ATL.DLL
0x76e30000 - 0x76e3c000      C:\WINDOWS\system32\rtutils.dll
0x7e020000 - 0x7e02f000      C:\WINDOWS\system32\SAMLIB.dll
0x770e0000 - 0x771e8000      C:\WINDOWS\system32\SETUPAPI.dll
0x77840000 - 0x77882000      C:\WINDOWS\system32\netman.dll
0x76300000 - 0x764c0000      C:\WINDOWS\system32\netshell.dll
0x74de0000 - 0x74df2000      C:\WINDOWS\system32\CLUSAPI.dll
0x76e90000 - 0x76ecf000      C:\WINDOWS\system32\RASAPI32.dll
0x76e40000 - 0x76e52000      C:\WINDOWS\system32\rasman.dll
0x76e60000 - 0x76e8f000      C:\WINDOWS\system32\TAPI32.dll
0x7fcf0000 - 0x7fd7e000      C:\WINDOWS\system32\WZCSvc.DLL
0x76cc0000 - 0x76cc5000      C:\WINDOWS\system32\WMI.dll
0x76d10000 - 0x76d2f000      C:\WINDOWS\system32\DHCPCSVC.DLL
0x76f00000 - 0x76f08000      C:\WINDOWS\system32\WTSAPI32.dll
0x4b180000 - 0x4b284000      C:\WINDOWS\system32\ESENT.dll
0x730a0000 - 0x730ae000      C:\WINDOWS\system32\WZCSAPI.DLL
VM Arguments:
java_command: C:\Program Files\a\lmv\CDF\b_c_lmv.jar C:\Program Files\a\lmv\CDF
Launcher Type: SUN_STANDARD
Environment Variables:
CLASSPATH=D:\a\Contact Center\Common Components\Cache\lib
PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;
C:\Program Files\Rational\ClearCase\bin;C:\Program Files\Rational\common;
C:\a\Cache\CacheSys\Mgr\a\DLL;C:\Program Files\a\lmv\TAPI;C:\Program Files\a\lmv\
OS=Windows_NT
PROCEppoR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
--------------- S Y S T E M ---------------
OS: Windows Server 2003 family Build 3790 Service Pack 2
CPU:total 4 (cores per cpu 4, threads per core 1) family 6 model 15 stepping 11, cmov, cx8, fxsr, mmx, sse, sse2
Memory: 4k page, physical 2097151k(2097151k free), swap 4194303k(3537076k free)
vm_info: Java HotSpot(TM) Client VM (1.5.0_14-b03) for windows-x86, built on Oct 5 2007 01:21:52 by "java_re" with MS VC++ 6.0
{code}
Sorry it's so long.
Anyways my dll is Jni_interface.dll. It loads legacy.dll, and its dependents. Other code also uses these libraries.
*So question 1* :
I load the jni_interface.dll (and also the legacy.dll and its dependents) library at the start of execution in a static class and so it is never unloaded. I do this because the legacy.dll will be calling functions in my Jni_Interface.dll, which are propagated into the Java class on top of it all. Does this stop other code from loading the legacy.dll or from using its functionality?
*On to question 2*:
Here is the logged output from my library, immediately before the crash:
{code:java}
      ***     JNI INTERFACE LIB - LOG 21 Jul 08 19:11:35.682     *** Log Level = DEBUG
21 Jul 08 19:11:35.698 - Level[ info ] -          Thread[ 716 ]     :: initRegistry     Registry initialisation ok
21 Jul 08 19:11:35.760 - Level[ info ] -          Thread[ 716 ]     :: vPersistData     vPersistData() called
21 Jul 08 19:11:35.823 - Level[ debug ] -     Thread[ 716 ]     :: doVoidCallback() [ persistDataHandler ]       Signature = (I)V
21 Jul 08 19:11:35.823 - Level[ debug ] -     Thread[ 716 ]     :: doVoidCallback() [ setMaxUsageHandler ]       Signature = (I)V
21 Jul 08 19:11:35.838 - Level[ info ] -          Thread[ 716 ]     :: Constructor     _instance is instantiated
21 Jul 08 19:11:35.838 - Level[ info ] -          Thread[ 716 ]     :: initiateLegacy()     JniManager initialisation successful
21 Jul 08 19:11:35.838 - Level[ info ] -          Thread[ 716 ]     :: initiateLegacy()     Initial state is NORMAL
21 Jul 08 19:11:35.838 - Level[ debug ] -     Thread[ 716 ]     :: getLicense()     Get request
21 Jul 08 19:11:36.010 - Level[ debug ] -     Thread[ 716 ]     :: getLicense()     Get request
{code}
Now notice that the current thread in the Hotspot output is NOT the thread in my library. Thread 716 is a java thread by the way. This log appears absolutely fine according to me. Also note that in the hotspot log there is no mention of my java component (the "boss" class), which is called LegacyLM. So does that mean that is in not to do with my code even though the problem only occurs when my component is included? Or is this just the cryptic nature of these problems?
*Question 3*:
If you see the heap section of the report, there are 3 items that I have highlighted that seem like very high values. Is this a possible cause of a crash? Or would I have received an "Out of space" error instead?
In terms of actual code, I cannot post much, but I can tell you what I have done to try to solve the problem:
(i) I have added mutex synchronisation to most of my shared variables.
(ii) I have used monitorEnter and MonitorExit to control callback access to my java class.
(iii) I have re-organised my code and replaced nearly every occurance of non-string character arrays with string equivalents.
(iv) I changed how I attach and detach my threads so that I only attach/detach ones that previously were not (i.e. I leave java threads alone)
As I said at the start, I am utterly confused and I don't have much of an idea about how to proceed. I'd really really appreciate a pointer or two.
Thanks in advance.
D
Edited by: Diom1982 on Jul 21, 2008 12:35 PM
Edited by: Diom1982 on Jul 21, 2008 12:40 PM

For those of you who might be interested, I found a solution to this problem (my version, at least). In my situation, this was caused by attempting to access the fields of a ActionEvent object in VC++ by casting a variant to a BSTR. While the cast "worked", it somehow caused the state of the Java plugin or the AxBridge DLL to get flummoxed, causing the VM dump far downstream.
The takehome message?
When seeing problems like this in the plugin / ActiveX bridge, do not assume that the causative error is occuring in the location noted in the stack trace. Visual C++, in all of its gory unprotected glory, gives full memory access to the DLL interface and you can do a serious fandango on the VM core. that won't necessarily bite you until later.
PS -- Sun gurus ... does this present a security violation in the Java paradigm?

Firewall log - what's this mean?

I had a hardware router/firewall and IP address server, just down stream from my cable modem until that device died this week. I've reconfigured what I had to use my Airport Graphite to distribute IP addresses and share a single IP address for all the devices on the home network "using NAT and DHCP" and connected 2 computers and a network printer with a simple Ethernet switch/hub. (BTW, this provides noticeably faster speed to the internet!) I already had the OS 10.4 firewall turned on in the 2 MacBooks, but I also now enabled Stealth Mode and for the first time "Firewall logging."
So I later looked in the log file and I find:
"Jan 8 20:49:31 Michaels-MacBook ipfw: Stealth Mode connection attempt to TCP 10.0.1.8:52066 from 74.125.19.104:80
Jan 8 20:49:31 Michaels-MacBook ipfw: Stealth Mode connection attempt to TCP 10.0.1.8:52066 from 74.125.19.104:80
Jan 8 20:49:33 Michaels-MacBook ipfw: Stealth Mode connection attempt to TCP 10.0.1.8:52066 from 74.125.19.104:80
Jan 8 20:49:33 Michaels-MacBook ipfw: Stealth Mode connection attempt to TCP 10.0.1.8:52066 from 74.125.19.104:80"
10.0.1.8 is the IP for this MacBook. I think this says I'm being scanned by someone attempting to use port 52066 (???), from some other computer named 74.125.19.104 port 80 - is that correct? Should I be worried? Is there something else I should enable or disable? Naturally, I turned on the minimum number of services in the Firewall. BTW, how could I find out who/where 74.125.19.104 is? This went on for about 3 minutes last night but seems to have stopped now.
I think this also makes me believe I should go back to a hardware firewall upstream, right at the 'port of entry,' but I don't see much for sale these days (at home prices) that is a true firewall. I know a new Airport Extreme Basestation says it has a "built-in firewall" but I can't find any information about that feature, ie is it more than just NAT translation? Does anyone have a recommendation for a reasonably priced, easy to set up and manage firewall?
thanks!

I have Snort NIDS running on my computer and get port scans similar to this reported to me all the time from numerous websites - for example, from these very discussions.apple.com forums. Port 443 is a server https port, your port 49235 is in all likelihood the randomly created outbound port that you initially established a web browsing connection with, hence, assuming this to be an established connection, it would have been forwarded through your router to your computer (to your 192.168.x.x address). This IPA belongs to akamai.com, I think they handle a lot of online purchasing and online billing stuff and stuff that requires logging in in some manner or another -- were you paying bills or buying something online or in an authenticated website at the time this occurred?
I don't understand why these port scans from established connections to reputable web servers happen, but I don't believe them to be abnormal. Perhaps someone who is a subject matter expert in enterprise-class web servers could weigh in here and explain what may be going on here.

Stealth mode and firewall logging problems to be resolved please.

I am running OS X v10.6.8 and am having difficulty setting stealth mode. System Preferences shows stealth mode to be switched on, but System Profiler shows it to be off, no matter how many times I set it and shut down/restart. System profiler also shows firewall logging to be switched off, but there is no facility within the Security/Firewall section of System Preferences to switch it on.

I think the answer to this is if you have "Block all incoming connections" checked, then "Enable stealth mode" in Sys Prefs is checked but greyed out. Mine is set up that way and I'm seeing, like you, that Stealth Mode is off in System Profiler>Network>Firewall. If you have "Block all incoming" checked, then activating Stealth Mode becomes moot.
I can only get it undimmed if I uncheck Block all incoming.

What does "P:2" mean in the firewall log?

i am getting entries like this in my firewall log:
63300 Deny P:2 169.254.68.70 224.0.0.251 in via en1
what is "P:2" and how should i deal with this kind of traffic? we are having some odd network issues related to the firewall so i'd like to make the P:2 stuff Allowed instead of Denied, but these entries have no port number and they are neither TCP nor UDP, so i can't see where in the UI to make a change...

right, 169.254.x.x would be one of the office machines that hasn't picked up an IP from the DHCP server yet. 224.0.0.251 is related to bonjour somehow... i am thinking that the machine with the self-assigned IP is using bonjour to talk to other machines on the LAN, or to discover the DHCP server or something like that.
but -- my problem is that i can't figure out what rule in the firewall is causing these P:2 packets to get denied, and likewise how i would go about changing the firewall to accept these packets. for now i've set up an address group for 169.254.0.0/16 and told the firewall to accept all traffic from those IPs, but i still don't understand what P:2 means or why these connections don't have an associated port (which implies that "allow all traffic" is doing something different than checking the box for every service in the list).

Firewall log not updating

Logging of denied packets is enabled on our 10.4 Server and it used to display the log just fine. However the current log file is now empty and is not updating at all. I've tried deleting the log and new log file is created but nothing is written to it even if I enable logging of allowed packets.
Anyone know what would be causing this problem or how to fix it?

I'm now having some other problems on the server so I ran repair permissions and this has fixed the firewall log problem. I don't know how the permissions became corrupted.

Firewall Log Error

Hi, I just posted this in a different category on the forums, but I haven't received a response. Maybe this is a better category for the topic.
I have been having some trouble with the firewall log recently. I have firewall logging enabled in the security menu of System Preferences. I also have the firewall set to Allow Specific Programs. However, when I try to view the firewall log, the error that is returned to me in console is:
LSOpenFromURLSpec() returned -43 for application (null) path /var/log/appfirewall.log.
What does this error mean, and how can I go about fixing it? The firewall no longer asks me if I want to allow new programs that I run, and I thought this could be the culprit. I just did a clean install of Leopard, and now this has happened. Thanks for any help.

It likely means that for whatever reason you have no /var/log/appfirewall.log file.
At the very least, you should have the following file in /var/log:
<pre>$ ls -l /var/log/app*
-rw-r----- 1 root admin 47268 Dec 30 03:53 appfirewall.log</pre>
If you don't have one, you may need to create one; let me know if you're missing it and I'll give you further instructions.

RV180W firewall logging

Hi,
I have a fairly simple need that I can't seem to satisfy with the RV180W. I've set a firewall block rule for certain traffice lan>wan, and I'd like to view the log.
Administratration | Firewall | Firewall Logs, I can select any or all items. Where do I view the log?
I can go to Logging | Logging Policies and select everything for the 'default' policy.
No matter what, I go to Status | View Logs, and select whatever severity level I want but get little to nothing, and definitely no firewall logging.
What am I missing?
Thanks, Les.

I don't see a "logging" option where the firewall rules are configured:
Under Firewall>Port Forwarding my options are:
Action:
Schedule:
Service:
Source IP:
Start:          (xxx.xxx.xxx.xxx)
Finish:          (xxx.xxx.xxx.xxx)
Destination IP:          (xxx.xxx.xxx.xxx)
Internal Port:
Under Firewall>Access Rules my options are:
Connection Type:
Action:
Schedule:
Service:
Source IP:
Start:
Finish:
Destination IP:
Start:
Finish:
Use This SNAT IP Address:
SNAT IP:
Send to Local Server (DNAT IP):
Use Other WAN (Internet) IP Address:
WAN (Internet) Destination IP:
Rule Status:
Under Firewall>Advanced>Custom Services my options are:
Name:
Type:
ICMP Type:
Start Port:
Finish Port:
Protocol Number:
Where should this logging be set? I have already turned on the logging under Administration>Logging>Firewall Logs, but when I got to Status>ViewLogs I can only see stuff that I configure using Administration>Logging>Logging Policies.
Still cannot find how to display the actual firewall/router logs.

Re: How to interpret firewall log?

Similar Messages

Maybe you are looking for