Re: TCP Connections, Bluesocket, and Mac OS X

On 7 Mar 2006, in the Usenet newsgroup alt.internet.wireless, in article
<1141787229.880152.65690@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, bubbaswan wrote:

"too many open network connections" determined exactly how?

I'm not exactly sure, but probably just by concurrent open sessions.

Might be interesting for you to find out.

I thought it might be, since it didn't decrease when programs accessing
the internet were quit. I fooled around with netstat some and I think
I got a more accurate (and reasonable count) for my particular machine:

blank:~ evan$ netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address
(state)
tcp4 0 0 blank.57036 mailsv02.colgate.imap
ESTABLISHED
tcp4 0 0 blank.56970 mailsv02.colgate.imap
ESTABLISHED
tcp4 0 0 blank.56965 mailsv02.colgate.imap
ESTABLISHED

OK, for some reason, you have three sessions open reading mail on the
mail server. Not sure why, but not unreasonable

tcp4 0 0 localhost.56958 localhost.ipp
CLOSE_WAIT
tcp4 0 0 localhost.56957 localhost.ipp
CLOSE_WAIT
tcp4 0 0 localhost.netinfo-loca localhost.976
ESTABLISHED
tcp4 0 0 localhost.976 localhost.netinfo-loca
ESTABLISHED

And four sessions where you are talking to yourself. These shouldn't
count, because nothing is leaving your box.

The rest were UDP connections that had no associated state

Yeah, but how many of them, and to/from what? UDP is commonly used for
DNS (".domain" or 53), and NFS. Where the rub lies is spammers who use
Microsoft "Messenger" service to spam the bejezus out of you - messages
from (usually spoofed) IP addresses to ports 1025-1030/udp, typically
350 to 1200 octets. At work, we port translate any _outbound_ UDP from
the range 1025-1050ish (normally DNS queries) out of that range, so
there will never be legitimate traffic to those ports inbound. Then,
our upstream is able to silently drop that trash. At home, (the last
time I turned on logging) I'm seeing an average of 1000 packets a day
per address. If you have a /16, that's a huge chunk of bandwidth.

However, even Mac's with these low open connection counts are still
getting quarentined because of the aforementioned Bluesocket policy.

I can't see a reason based on the TCP count - UDP might be another
factor, but without counts, who can say. Did I suggest trying a
packer sniffer? No I didn't. Try tcpdump, or ethereal or similar
and see if you can spot something else. Be sure to notice which interface
you are talking about - loopback doesn't count towards wireless traffic.

You can turn this feature off in Bluesocket

[That was a different poster]

We don't want to turn off this feature, precisely because of the reason
you mentioned next (about worms and all),

Feline O/S is not as vulnerable as windoze. Someone is acting clueless there.

and we really don't want this many connections going through the network.

I can agree with that, but "show me the connections" - I'm not seeing any.

However, we also don't want OSX machines that apparently don't have a huge
number of open connections getting quarentined because Bluesocket thinks
they have that many open connections.

Agreed

Could it be that a particular legitimate app, when launching, or performing
some other task, opens up a large number of connections at a particular
point, which might cause the Bluesocket to raise red flags? For instance,
with web browsing - if I were to browse several different sites at once
through tabbed browsing, or something similar?

I wouldn't expect it to be any worse than a windoze box - less in fact if
Active-X or JavaCrap is active on the windoze box. However, the answer
might be to packet sniff and compare.

I'm just trying to figure out why Bluesocket thinks that these Mac's are
so busy on the network when they really don't appear to be.

Your 'netstat' output doesn't indicate a problem.

I've looked in other newsgroups to no avail - since the issue seems to
be more on the end of Bluesocket rather than OSX, I thought it best to
post here.

The reason I was suggesting other groups is finding someone who knows the
switches on the OS X version of netstat. That command started out on BSDs
and V.3, but the various subsequent incarnations have added options enough
to drive you crazy - and few of them do exactly the same thing. Heck, there
is even a windoze version of the command.

Old guy
.

Relevant Pages

  • Re: Shared Network Path Unavailable
    ... > connections to that folder. ... There are sessions that are bound to client logon sessions ... and there are opens which be part of multiple sessions. ... can have multiple files and folders open at any one time. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Connections query
    ... Try to close the connection before destroying cmdTemp: ... > application opens up two connections. ... The invoice run opens up a recordset which goes around a loop. ...
    (microsoft.public.sqlserver.programming)
  • Connections query
    ... Query Analyser still open I again run SELECT @@connections. ... The invoice run opens up a recordset which goes around a loop. ... TEST 1:- Instead of retrieving this value using a stored procedure I changed ...
    (microsoft.public.sqlserver.programming)
  • Re: TCP Connections, Bluesocket, and Mac OS X
    ... Active Internet connections ... The rest were UDP connections that had no associated state and local ... aforementioned Bluesocket policy. ... app, when launching, or performing some other task, opens up a large ...
    (alt.internet.wireless)
  • Re: Connections query
    ... Execute method against the command. ... this bit of code opens up two connections. ... Firstly select @@connections returns +2 on my previous call to it. ... stored procedure than the first recordset. ...
    (microsoft.public.sqlserver.programming)