Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 14 May 2008 22:18:45 +0300
From:      Mikolaj Golub <to.my.trociny@gmail.com>
To:        <freebsd-hackers@freebsd.org>
Subject:   Re: Socket leak
Message-ID:  <81y76c7kyy.fsf@zhuzha.ua1>
In-Reply-To: <482AED3B.1020307@datapipe.com> (Mark Saad's message of "Wed\, 14 May 2008 09\:46\:35 -0400")
References:  <482A2639.7000401@datapipe.com> <81zlqtfazy.fsf@zhuzha.ua1> <482AED3B.1020307@datapipe.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Wed, 14 May 2008 09:46:35 -0400 Mark Saad wrote:

 MS> Mikolaj
 MS>   Thanks for the input, did you change any of the options for
 MS> TimeoutLinger or TimeoutIdle ?

No, I didn't

 MS> The Proftpd I am running is build for 6.3-RELEASE  here are the build
 MS> options

 MS> Compile-time Settings:
 MS>  Version: 1.3.0a
 MS>  Platform: FREEBSD6 (FREEBSD6_3)
 MS>  Built With:
 MS>    configure CPPFLAGS=-DHAVE_OPENSSL --localstatedir=/var/run
 MS> --disable-sendfile --disable-ipv6
 MS> --with-modules=mod_sql:mod_sql_mysql:mod_check_mysql:mod_check_digest
 MS> --prefix=/usr/local
 MS> --with-includes=/usr/local/include/mysql:/usr/include/openssl
 MS> --with-libraries=/usr/local/lib/mysql

It might be that it is not proftpd but other application that cause the leak. 
Anyway, to check if it is proftpd, look in its logs for entries like these:  

  Entering Passive Mode (192,168,0,213,241,70).
  FTP session closed.

Convert the last two numbers to port (241*256+70) and check by netstat if you
still have this connection. If you have, then it is likely this is the same
situation as in my case and the proftpd is a problem. Upgrade to 1.3.1 from
ports then.

If proftpd is ok, look for other applications. Search for connections reported
by netstat as ESTABLISHED but not displayed by sockstat utility. You could run
something like this:

netstat -an | grep ESTABL |
while read b l a local remote state; do
    echo -n "$local $remote: "
    sockstat |
    sed -e 's/:/./g' |
    grep -c "$local *$remote"
done

Look for sockets with 0 count. These are suspicious ones. Observe these
sockets by netstat and try to figure out what application they could belong
and dig in that direction.

-- 
Mikolaj Golub

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?81y76c7kyy.fsf>