martin f krafft wrote:
also sprach Blair L Strang <bls@totalinfosecurity.com> [2005.03.15.2256 +0100]:Sorry I didn't understand from your original post that this was only happening occasionally. Duh!It does only happen occassionally...Perhaps look into ip_conntrack_max?I don't have such a file. ip_conntrack_expect is the only other one...
It /is/ a bit of a long shot because you probably would have noticed messages saying "ip_conntrack: maximum limit of <n> entries exceeded" from your kernel. But worth a look anyway. ip_conntrack_max is a sysctl which determines how many conntrack entries are kept. See: /proc/sys/net/ipv4/ip_conntrack_max. Comparing this with "wc -l /proc/net/ip_conntrack" will tell you how close to the limit you are at a given point in time. The numbers can change pretty dramatically depending on use or abuse; a single nmap -sU -T Insane will chew through a lot of conntracks (1600 or so at peak when I tried it). Ta, Blair. -- M-x yow! Well, O.K. I'll compromise with my principles because of EXISTENTIAL DESPAIR!