Checking for half open connections
Posted on 2004-08-08
This is really an extension of my previous post. I managed to track down the issue behind high cpu utilization, which was indeed caused by a worm. The worm caused a lot of hosts to open and terminate connections to our servers, leaving them in the TIME_WAIT state. Some hosts had opened thousands of connections to the servers.
How do I track down these half-closed connections on the firewall? A "show conn " gives out a lot of detail. What do I need to look for?
While I was trying to track down the infected hosts using a sniffer, a vendor suggested that I use the MSFC on the core switch as a source and filter it on the specific VLAN. How is this different from port mirroring?
The commands I used were
MSFC sniffing ----> set span (msfc) (destination port) filter (vlan_number)
Port sniffing ----> set span (vlan_number) (destination port)
Each of these methods threw up a completely different set of statistics. What is the difference?