Flutterby™! : Mac loathing

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

Mac loathing

2007-12-05 20:23:05.322034+00 by Dan Lyke 8 comments

Argh. Pardon the geekery, but today's expanding bald spot is brought to you by something causing finder to spew:

Finder[77336] <error>: CGWindowContextCreate: failed to create context delegate.

And

Finder[77336] <error>: Failed to create window context device

hundreds of times a second into my syslog, causing the machine to come to a grinding halt. And I've no idea how to track this.

comments in ascending chronological order (reverse):

#Comment Re: made: 2007-12-06 16:56:07.197668+00 by: ziffle

iptraf?

#Comment Re: made: 2007-12-06 18:30:42.766745+00 by: Dan Lyke

What is this tool whereof you speak and where can I get my fingers on it?

Yeah, I think it's related to a (apparently successful) DOS attack originating in Japan, but I'm having trouble squeezing enough out of OS/X to figure out the details.

#Comment Re: made: 2007-12-06 22:21:25.528177+00 by: ziffle

http://iptraf.seul.org/

linux right?

shows ip and type of traffic coming in.

you need accesss to root...

#Comment Re: made: 2007-12-06 22:31:28.221259+00 by: Dan Lyke

No, OS/X, but I'll see if I can compile it on the Mac. Thanks, that looks very useful!

#Comment Re: made: 2007-12-06 23:47:07.66927+00 by: ziffle

I can't believe I knew something you did not know about programming :)

Is there a tool which would show in real time ip traffic by consolidated IP address? iptraf does not combine multiple streams that I can see. hehe can you modify iptraf for that? I'll test it for you :)

we use a firewall box running linux and iptraf when needed. You could build one temporarily in front of your Mac ??

We also built a routine to update the firewall iptables easily - so you could observe a BAD ip address and then update the firewall dynamically and then observe the traffic clear up.

Linux does seem to be missing some tools like this. Or is it me?

#Comment Re: made: 2007-12-07 02:36:41.320902+00 by: Dan Lyke

I dunno, I've remained blissfully ignorant of admin stuff for a few years, and am being dragged back in only reluctantly.

But I guess I'm giong to have to learn.

#Comment Re: made: 2007-12-08 00:56:15.460258+00 by: John Anderson

> am being dragged back in only reluctantly.

There is no escape! D,NA!

#Comment Re: made: 2007-12-08 10:10:34.684079+00 by: meuon [edit history]

Ziffle, we were building/kludging such tools with Snort, iptraf, snifit, iptables, etc.. years ago with linux boxen configured as routers. IPTraf handles multiple ethernet ports well, and can do some insane logging. We had perl scripts that looked for traffic patterns and would build iptables rules, my favorite was "Manson.pl" - Manson the mass murderer. He built a hash of odd port traffic hits by ip address and would then deny the ip or the /24. We only ran it when we were seeing problems, but it would quickly identify and kill attacking IP's.

But my favorite tool was/is: ntop

Absolutely amazing tool for monitoring network traffic and showing you the exceptions, detailed reporting.. stats.. Running it on a fast machine with lots of ram that was either the router, or promiscuous mode inline with a hub (not switch) is an amazing view of what is going on over your wire.

I have no idea what the current generation is like.