From owner-freebsd-hackers@FreeBSD.ORG Wed May 14 21:03:39 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5ABF91065676 for ; Wed, 14 May 2008 21:03:39 +0000 (UTC) (envelope-from msaad@datapipe.com) Received: from exchfe05.datapipe-corp.net (exchfe05.datapipe-corp.net [64.106.130.125]) by mx1.freebsd.org (Postfix) with ESMTP id 290DF8FC2D for ; Wed, 14 May 2008 21:03:38 +0000 (UTC) (envelope-from msaad@datapipe.com) Received: from oceanspray.bad-apples.org (192.168.131.233) by exchfe05.datapipe-corp.net (64.106.130.125) with Microsoft SMTP Server (TLS) id 8.1.278.0; Wed, 14 May 2008 17:03:38 -0400 Message-ID: <482B5364.7080406@datapipe.com> Date: Wed, 14 May 2008 17:02:28 -0400 From: Mark Saad User-Agent: Thunderbird 2.0.0.12 (X11/20080328) MIME-Version: 1.0 To: Mikolaj Golub References: <482A2639.7000401@datapipe.com> <81zlqtfazy.fsf@zhuzha.ua1> <482AED3B.1020307@datapipe.com> <81y76c7kyy.fsf@zhuzha.ua1> In-Reply-To: <81y76c7kyy.fsf@zhuzha.ua1> Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Cc: "freebsd-hackers@freebsd.org" Subject: Re: Socket leak X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: msaad@datapipe.com List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 May 2008 21:03:39 -0000 Mikolaj I looked at netstat and I do not have this many sockets TCP or UNIX. Wed May 14 16:58:37 EDT 2008 ewr# sysctl kern.ipc.numopensockets && netstat -an -p tcp | wc -l && sockstat -u |wc -l kern.ipc.numopensockets: 15903 261 60 ewr# sockstat -46lu | wc -l 82 Running your script I can only find 1 matching 0 count socket . I also shutdown proftpd and left it down for 10 mins and I did not see the number of sockets drop at all. Any ideas ? Mikolaj Golub wrote: > On Wed, 14 May 2008 09:46:35 -0400 Mark Saad wrote: > > MS> Mikolaj > MS> Thanks for the input, did you change any of the options for > MS> TimeoutLinger or TimeoutIdle ? > > No, I didn't > > MS> The Proftpd I am running is build for 6.3-RELEASE here are the buil= d > MS> options > > MS> Compile-time Settings: > MS> Version: 1.3.0a > MS> Platform: FREEBSD6 (FREEBSD6_3) > MS> Built With: > MS> configure CPPFLAGS=3D-DHAVE_OPENSSL --localstatedir=3D/var/run > MS> --disable-sendfile --disable-ipv6 > MS> --with-modules=3Dmod_sql:mod_sql_mysql:mod_check_mysql:mod_check_dig= est > MS> --prefix=3D/usr/local > MS> --with-includes=3D/usr/local/include/mysql:/usr/include/openssl > MS> --with-libraries=3D/usr/local/lib/mysql > > It might be that it is not proftpd but other application that cause the l= eak. > Anyway, to check if it is proftpd, look in its logs for entries like thes= e: > > Entering Passive Mode (192,168,0,213,241,70). > FTP session closed. > > Convert the last two numbers to port (241*256+70) and check by netstat if= you > still have this connection. If you have, then it is likely this is the sa= me > situation as in my case and the proftpd is a problem. Upgrade to 1.3.1 fr= om > ports then. > > If proftpd is ok, look for other applications. Search for connections rep= orted > by netstat as ESTABLISHED but not displayed by sockstat utility. You coul= d run > something like this: > > netstat -an | grep ESTABL | > while read b l a local remote state; do > echo -n "$local $remote: " > sockstat | > sed -e 's/:/./g' | > grep -c "$local *$remote" > done > > Look for sockets with 0 count. These are suspicious ones. Observe these > sockets by netstat and try to figure out what application they could belo= ng > and dig in that direction. > > -- > Mikolaj Golub > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org= " -- Mark Saad Managed UNIX Support DataPipe Managed Global IT Services msaad@datapipe.com 1.201.792.4847 (international) 1.888.749.5821 (toll free) () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments This message may contain confidential or privileged information. If you ar= e not the intended recipient, please advise us immediately and delete this = message. See http://www.datapipe.com/emaildisclaimer.aspx for further info= rmation on confidentiality and the risks of non-secure electronic communica= tion. If you cannot access these links, please notify us by reply message a= nd we will send the contents to you.