From owner-freebsd-net@FreeBSD.ORG Wed Aug 25 15:48:37 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA22A16A4CE for ; Wed, 25 Aug 2004 15:48:37 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id B05F243D39 for ; Wed, 25 Aug 2004 15:48:36 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 41913 invoked from network); 25 Aug 2004 15:47:36 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 25 Aug 2004 15:47:36 -0000 Message-ID: <412CB4D6.5F33FDD@freebsd.org> Date: Wed, 25 Aug 2004 17:48:38 +0200 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Peter Pentchev References: <20040825153247.GI1009@straylight.m.ringlet.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: net@FreeBSD.org Subject: Re: [CFR] Fix sockstat's handling of closed connections X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2004 15:48:37 -0000 Peter Pentchev wrote: > > Hi, > > I first came across this a couple of months ago, but today I finally > took the time to look into it. > > Basically, if a program has recently closed a TCP connection or three > and they are currently in CLOSED or TIME_WAIT state, sockstat(1) will > report them as active connected sockets and link them to completely > bogus programs and file descriptors. Here's a demonstration, taken > immediately after a completed fetchmail poll of three POP3 servers: This has got me freaked out more than once alreay but I never found time to look into it. Good catch! > [roam@straylight ~/fbsd/r/src/usr.bin/sockstat]> sockstat -4c > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS > www httpd 5408 3 tcp4 217.75.134.254:58889 217.75.134.1:110 > roam ssh 939 3 tcp4 192.168.11.36:55794 192.168.9.48:22 > www httpd 604 3 tcp4 217.75.134.254:58889 217.75.134.1:110 > nobody dictd 596 26 tcp4 217.75.134.254:58889 217.75.134.1:110 > qmails tcpserver 548 0 tcp4 217.75.134.254:58889 217.75.134.1:110 > [roam@straylight ~/fbsd/r/src/usr.bin/sockstat]> ./sockstat -4c > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS > roam ssh 939 3 tcp4 192.168.11.36:55794 192.168.9.48:22 > [roam@straylight ~/fbsd/r/src/usr.bin/sockstat]> netstat -n | egrep '^tcp.*110' > tcp4 0 0 217.75.134.254.49857 195.24.32.2.110 TIME_WAIT > tcp4 0 0 217.75.134.254.54159 217.75.128.9.110 TIME_WAIT > tcp4 0 0 217.75.134.254.58889 217.75.134.1.110 TIME_WAIT > [roam@straylight ~/fbsd/r/src/usr.bin/sockstat]> > > The first 'sockstat' run was the "real" sockstat(1) from FreeBSD > 5.3-BETA1 as of today; as you can see, it reports the three TIME_WAIT > sockets as very much active and attributes them to totally unrelated > processes. I must admit this gave me quite a scare the first time I saw > this: what in the name of $DEITY are all those servers doing opening > *outgoing* connections, or, alternatively and even worse, why are they > listening on high ports? > > Luckily, the fix is simple, or at least so it seems to me. It turns out > that those connections have a xt_socket->xso_so set to NULL, and the > false positive comes from sockstat's matching them to a similarly NULL > xf_data members of 'kern.files'. What do people think about the > following patch? I could commit it if nobody has any objections, but > being a ports/doc committer, I would need an explicit approval to do > that :) The fix looks good to me. It seems small enough so I think I can give you the direct go-ahead to commit it. Could you also put a comment into the sockstat man page describing that TCP connections in TIME_WAIT state can be looked up with netstat? -- Andre > G'luck, > Peter > > Index: src/usr.bin/sockstat/sockstat.c > =================================================================== > RCS file: /home/ncvs/src/usr.bin/sockstat/sockstat.c,v > retrieving revision 1.9 > diff -u -r1.9 sockstat.c > --- src/usr.bin/sockstat/sockstat.c 19 Jul 2003 06:23:56 -0000 1.9 > +++ src/usr.bin/sockstat/sockstat.c 25 Aug 2004 15:14:24 -0000 > @@ -494,6 +494,8 @@ > "LOCAL ADDRESS", "FOREIGN ADDRESS"); > setpassent(1); > for (xf = xfiles, n = 0; n < nxfiles; ++n, ++xf) { > + if (xf->xf_data == NULL) > + continue; > hash = (int)((uintptr_t)xf->xf_data % HASHSIZE); > for (s = sockhash[hash]; s != NULL; s = s->next) > if ((void *)s->socket == xf->xf_data) > > -- > Peter Pentchev roam@ringlet.net roam@cnsys.bg roam@FreeBSD.org > PGP key: http://people.FreeBSD.org/~roam/roam.key.asc > Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 > .siht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI > > -------------------------------------------------------------------------------- > Part 1.2Type: application/pgp-signature