Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 14 May 2008 17:02:28 -0400
From:      Mark Saad <msaad@datapipe.com>
To:        Mikolaj Golub <to.my.trociny@gmail.com>
Cc:        "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>
Subject:   Re: Socket leak
Message-ID:  <482B5364.7080406@datapipe.com>
In-Reply-To: <81y76c7kyy.fsf@zhuzha.ua1>
References:  <482A2639.7000401@datapipe.com> <81zlqtfazy.fsf@zhuzha.ua1>	<482AED3B.1020307@datapipe.com> <81y76c7kyy.fsf@zhuzha.ua1>

next in thread | previous in thread | raw e-mail | index | archive | help
Mikolaj
    I looked at netstat and I do not have this many sockets TCP or UNIX.

Wed May 14 16:58:37 EDT 2008
ewr# sysctl kern.ipc.numopensockets && netstat -an -p tcp | wc -l &&
sockstat -u |wc -l
kern.ipc.numopensockets: 15903
      261
      60

ewr# sockstat -46lu | wc -l
       82

Running your script I can only find 1 matching 0 count socket .

I also shutdown proftpd and left it down for 10 mins and I did not see
the number of sockets drop at all.

Any ideas ?

Mikolaj Golub wrote:
> On Wed, 14 May 2008 09:46:35 -0400 Mark Saad wrote:
>
>  MS> Mikolaj
>  MS>   Thanks for the input, did you change any of the options for
>  MS> TimeoutLinger or TimeoutIdle ?
>
> No, I didn't
>
>  MS> The Proftpd I am running is build for 6.3-RELEASE  here are the buil=
d
>  MS> options
>
>  MS> Compile-time Settings:
>  MS>  Version: 1.3.0a
>  MS>  Platform: FREEBSD6 (FREEBSD6_3)
>  MS>  Built With:
>  MS>    configure CPPFLAGS=3D-DHAVE_OPENSSL --localstatedir=3D/var/run
>  MS> --disable-sendfile --disable-ipv6
>  MS> --with-modules=3Dmod_sql:mod_sql_mysql:mod_check_mysql:mod_check_dig=
est
>  MS> --prefix=3D/usr/local
>  MS> --with-includes=3D/usr/local/include/mysql:/usr/include/openssl
>  MS> --with-libraries=3D/usr/local/lib/mysql
>
> It might be that it is not proftpd but other application that cause the l=
eak.
> Anyway, to check if it is proftpd, look in its logs for entries like thes=
e:
>
>   Entering Passive Mode (192,168,0,213,241,70).
>   FTP session closed.
>
> Convert the last two numbers to port (241*256+70) and check by netstat if=
 you
> still have this connection. If you have, then it is likely this is the sa=
me
> situation as in my case and the proftpd is a problem. Upgrade to 1.3.1 fr=
om
> ports then.
>
> If proftpd is ok, look for other applications. Search for connections rep=
orted
> by netstat as ESTABLISHED but not displayed by sockstat utility. You coul=
d run
> something like this:
>
> netstat -an | grep ESTABL |
> while read b l a local remote state; do
>     echo -n "$local $remote: "
>     sockstat |
>     sed -e 's/:/./g' |
>     grep -c "$local *$remote"
> done
>
> Look for sockets with 0 count. These are suspicious ones. Observe these
> sockets by netstat and try to figure out what application they could belo=
ng
> and dig in that direction.
>
> --
> Mikolaj Golub
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org=
"


--
Mark Saad
Managed UNIX Support
DataPipe Managed Global IT Services
msaad@datapipe.com
1.201.792.4847 (international)
1.888.749.5821 (toll free)

()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments


This message may contain confidential or privileged information.  If you ar=
e not the intended recipient, please advise us immediately and delete this =
message.  See http://www.datapipe.com/emaildisclaimer.aspx for further info=
rmation on confidentiality and the risks of non-secure electronic communica=
tion. If you cannot access these links, please notify us by reply message a=
nd we will send the contents to you.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?482B5364.7080406>