Re: Network frustration
On Sat, 4 Oct 1997, Mike Patterson wrote:
> Ok, to start with, my network was working beautifully until this
> afternoon. Then, without (explainable) reason, two of the computers
> on the network had their network cards die. One was on the fileserver.
> I replaced the cards, and now all of the machines can ping each other
> again... however, nothing else is working like it used to.
> When a win95 station tries to connect to it, it gets a "Network
> is busy" error (Samba is running on the server). (as a sidenote:
> smbclient -l "server" gives the correct response)
> When trying to connect to the server via telnet, it takes a horrendous
> time (in the order of minutes) between where it says "Escape character
> is '^]'" and "Debian GNU/Linux 1.3 shadowglen.ml.org"
> The fileserver is also acting as a router to the rest of the internet,
> and I can't connect to anything outside the net either (two ethernet
> cards, one for external net, one for internal)
> I know this is somewhat vague, but I'm not even sure where to
> begin. I'm guessing (randomly, really) that the internal network is
> getting flooded with packets from somewhere, but I haven't started
> running anything unusual.
my guess is that your problem may be broken DNS, mostly because of the
telnet delay. is named still running on your name server machine? can it
resolve hostnames and ip addresses? can other machines on the network
use it to resolve names? are all the zone files intact? any errors in
/var/log/daemon.log? check /etc/resolv.conf on the server, too...is it
pointing at the correct name server?
another possibility is that you have another faulty ethernet card
somewhere on your network - it's odd to get 2 or more cards die at the
same time...maybe you had a lightning strike nearby or some bizarre
voltage spike on your ethernet, maybe induced voltage from running
your cables too close to a huge coil/transformer/electrical motor or
something like that (these are only guesses, of course)
anyway, if there's another broken card it could be causing all sorts of
havoc on the network.
do you get a lot of packet loss when you ping the fileserver from a
btw, to scan your network for suspicious/anomalous packets run tcpdump
and watch the output for a while. monitor the activity on your ethernet.
BTW, it's a good idea, IMO, to "practice" this when you have a happily
functioning network so it's easier to tell the difference between
"normal" network activity and strangeness.
also try installing the courtney package on one of your unix machines
(it's available as a debian package) - it can detect some types of
attacks against a network. it's definition of an 'attack' is rather
simplistic though. it's purpose is to detect port scanning probes like
if you're really worried about a network attack, use packet filtering on
your external router (e.g. ipfwadm if it's a linux box) to block out all
incoming packets except those you know you need. when your users start
screaming because you inevitably forgot :-) one or two unimportant ports
like www and smtp, tweak the rules so they're a little more open.
if you are really concerned about network security *DO NOT* make your
fileserver the same machine as your internet gateway. resurrect an old
386 box from gathering dust in a cupboard if you have to and build
another router/firewall box. Put your fileserver on your internal
network, safely behind the firewall.
networking consultant Available for casual or contract
temporary autonomous zone system administration tasks.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
Trouble? e-mail to email@example.com .