TcpDump

Usage of tcpdump:

For example monitoring SMTP from a particular host:

# tcpdump -w tcpdump.out -s 0 ip host 84.47.53.128 and tcp port 25

WireShark/Ethereal

Examine the captured file using tshark:

# tshark -r tcpdump.out

Executables within wireshark:

/usr/sbin/capinfos
/usr/sbin/dftest
/usr/sbin/dumpcap
/usr/sbin/editcap
/usr/sbin/mergecap
/usr/sbin/randpkt
/usr/sbin/rawshark
/usr/sbin/tethereal
/usr/sbin/text2pcap
/usr/sbin/tshark

Resources

• http://linux.byexamples.com/archives/283/simple-usage-of-tcpdump/
• IPv6 TCP/IP http://www.sans.org/security-resources/ipv6_tcpip_pocketguide.pdf
• WireShark http://www.wireshark.org/
• http://workaround.org/using-tcpdump-and-wireshark
• http://www.codealias.info/technotes/the_tshark_capture_and_filter_example_page

There are several possibilities for web or mail server load balancing:

• Relayd - https://calomel.org/relayd.html
• Nginx - https://calomel.org/nginx.html
• The Linux Virtual Server - http://www.linuxvirtualserver.org/
• Heartbeat -

Description

In your logs you get an “No buffer space available” error.

Analysis

Look at your bean counters:

# cat /proc/user_beancounters

Version: 2.5

       uid  resource           held    maxheld    barrier      limit    failcnt

      101:  kmemsize        9146159   27892508  110559230  113770490          0

            lockedpages           0          5        256        256          0

            privvmpages      147957     463794     655360     696320    4383621

            shmpages          20493      20493      21504      21504      14736

            dummy                 0          0          0          0          0

            numproc              76        222        540        540          0

            physpages         70678     335925          0 2147483647          0

            vmguarpages           0          0      33792 2147483647          0

            oomguarpages      70678     336552      26112 2147483647          0

            numtcpsock           22        272        360        360          0

            numflock             16        112        188        206          0

            numpty                1          2         16         16          0

            numsiginfo            0         95        256        256          0

            tcpsndbuf        176268    1762804    1720320    2703360   26819298

            tcprcvbuf        212992    1769108    1720320    2703360       9783

            othersockbuf     219964     865260    1126080    2097152          0

            dgramrcvbuf           0     149940     262144     262144          0

            numothersock        141        360        360        360       2036

            dcachesize            0          0   35758080   36249600          0

            numfile            3293       7386      93120      93120          0

            dummy                 0          0          0          0          0

            dummy                 0          0          0          0          0

            dummy                 0          0          0          0          0

            numiptent            10         10        328        328          0

Here you cee, that there are too many tcpsndbuf and privvmpages refused resource allocations.

Solution

Set higher values for both variables:

# vzctl set 101 --tcpsndbuf 2589488:3589488  --save

# vzctl set 101 --tcpsndbuf 2589488:3589488 --save

# vzctl set 101 --privvmpages 1600000:2400000 --save

# vzctl set 101 --numothersock 1024:1256 --save

# vzctl set 101 --tcprcvbuf 1769108:1720320 --save

References

1. Proc/user_beancounters. http://wiki.openvz.org/Proc/user_beancounters
2. http://forum.openvz.org/index.php?t=tree&goto=15423&#page_top
3. http://wiki.openvz.org/User_beancounters