From owner-freebsd-bugs@FreeBSD.ORG  Fri Jan 13 12:40:09 2012
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BC9031065670
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 13 Jan 2012 12:40:09 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 965F68FC0A
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 13 Jan 2012 12:40:09 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0DCe9Nt056862
	for <freebsd-bugs@freefall.freebsd.org>; Fri, 13 Jan 2012 12:40:09 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0DCe9rk056861;
	Fri, 13 Jan 2012 12:40:09 GMT (envelope-from gnats)
Resent-Date: Fri, 13 Jan 2012 12:40:09 GMT
Resent-Message-Id: <201201131240.q0DCe9rk056861@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Jim Pirzyk <pirzyk@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 813EE1065675
	for <freebsd-gnats-submit@FreeBSD.org>;
	Fri, 13 Jan 2012 12:36:41 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 6C39F8FC14
	for <freebsd-gnats-submit@FreeBSD.org>;
	Fri, 13 Jan 2012 12:36:41 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q0DCafYl003886
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 13 Jan 2012 12:36:41 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q0DCafJl003885;
	Fri, 13 Jan 2012 12:36:41 GMT (envelope-from nobody)
Message-Id: <201201131236.q0DCafJl003885@red.freebsd.org>
Date: Fri, 13 Jan 2012 12:36:41 GMT
From: Jim Pirzyk <pirzyk@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: bin/164081: sockstat not reporting all open sockets
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2012 12:40:09 -0000


>Number:         164081
>Category:       bin
>Synopsis:       sockstat not reporting all open sockets
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 13 12:40:09 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Jim Pirzyk
>Release:        8.2-RELEASE-p3
>Organization:
>Environment:
FreeBSD amigo.home.pirzyk.org 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:45:57 UTC 2011     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
When using rkhunter one of the FreeBSD specific tests is to compare the output from sockstat with netstat.  The idea is that most rootkits will replace the netstat binary but do not deal with sockstat (since it is FreeBSD specific).  Currently on my machine, netstat is reporting *more* sockets open than sockstat.  One port in particular is port 979, which nlockmgr is running on:

pirzyk@amigo:~/tmp
44>netstat -an | g 979
tcp4       0      0 127.0.0.1.3306         127.0.0.1.47979        TIME_WAIT
tcp4       0      0 *.979                  *.*                    LISTEN
pirzyk@amigo:~/tmp
45>rpcinfo -p | g 979
    100021    0   tcp    979  nlockmgr
    100021    1   tcp    979  nlockmgr
    100021    3   tcp    979  nlockmgr
    100021    4   tcp    979  nlockmgr
pirzyk@amigo:~/tmp
46>sockstat |g 979
pirzyk@amigo:~/tmp
47>

According to the sockstat man page there should be some differences between the two but I believe since port 979 is in LISTEN mode, it should be displayed by sockstat.
>How-To-Repeat:
Simple shell script do to the diff between outputs:

#!/bin/sh

sockstat | awk 'NF == 7 { print $6 } NF == 8 {print $7}' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq > sockstat.out

netstat -an |  awk '{ print $4 }' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq > netstat.out

diff -Nru netstat.out sockstat.out
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: