Date: Sat, 7 Feb 2026 11:31:48 -0800 From: Doug Hardie <bc979@lafn.org> To: freebsd-questions@freebsd.org Subject: Re: Strange sockstat entries Message-ID: <312D0E0A-31A2-4D50-90D7-38AB121F7E70@lafn.org> In-Reply-To: <864insbxvk.fsf@ltc.des.dev> References: <2133E787-9AF9-4999-83DC-83B4C0CABD32@lafn.org> <864insbxvk.fsf@ltc.des.dev>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] > On Feb 7, 2026, at 03:23, Dag-Erling Smørgrav <des@freebsd.org> wrote: > > Doug Hardie <bc979@lafn.org> writes: >> I am seeing a number of unusual sockstat entries that look like: >> >> ?? ?? ?? ?? tcp4 10.0.1.230:587 178.16.54.22:63001 >> >> The occur at the end of the output. Often there are about 10 or so >> entries. Most of them vanish after a few seconds. However, two are >> quite persistent. What causes this type of entry? > > sockstat works by retrieving and cross-referencing information from two > separate lists, one that ties sockets to processes and another that ties > sockets to connections. If a socket is opened or closed while sockstat > is working, it may show up in one list but not in the other. It might > be better to drop incomplete entries by default. > > Note that sockets owned by the kernel (e.g. NFS) will never show up in > the list of processes. Perhaps we should arrange things so they show up > with PID and UID 0. Thanks for the information. That makes sense now. I would think it would be better to not include the ?? ?? entries, but I can live with either approach now that I know what they mean. I did find one unexpected case where sockstat shows 32K entries for blacklistd. I find that quite unexpected as pftop only shows 26 entries for everything. netstat shows the same 32K entries so those must be established connections. Why are they still open when pftop doesn't show them. I would think that would mean they were closed. I would expect that having that many open connections would slow down the system. -- Doug [-- Attachment #2 --] <html><head><meta charset="UTF-8"><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><blockquote type="cite" style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">On Feb 7, 2026, at 03:23, Dag-Erling Smørgrav <des@freebsd.org> wrote:<br><br>Doug Hardie <bc979@lafn.org> writes:<br><blockquote type="cite">I am seeing a number of unusual sockstat entries that look like:<br><br>?? ?? ?? ?? tcp4 10.0.1.230:587 178.16.54.22:63001<br><br>The occur at the end of the output. Often there are about 10 or so<br>entries. Most of them vanish after a few seconds. However, two are<br>quite persistent. What causes this type of entry?<br></blockquote><br>sockstat works by retrieving and cross-referencing information from two<br>separate lists, one that ties sockets to processes and another that ties<br>sockets to connections. If a socket is opened or closed while sockstat<br>is working, it may show up in one list but not in the other. It might<br>be better to drop incomplete entries by default.<br><br>Note that sockets owned by the kernel (e.g. NFS) will never show up in<br>the list of processes. Perhaps we should arrange things so they show up<br>with PID and UID 0.<br></blockquote><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;"><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; display: inline !important; float: none;">Thanks for the information. That makes sense now. I would think it would be better to not include the ?? ?? entries, but I can live with either approach now that I know what they mean.</span><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;"><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;"><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; display: inline !important; float: none;">I did find one unexpected case where sockstat shows 32K entries for blacklistd. I find that quite unexpected as pftop only shows 26 entries for everything. netstat shows the same 32K entries so those must be established connections. Why are they still open when pftop doesn't show them. I would think that would mean they were closed. I would expect that having that many open connections would slow down the system.</span><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;"><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;"><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; display: inline !important; float: none;">-- Doug</span></body></html>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?312D0E0A-31A2-4D50-90D7-38AB121F7E70>