sockstat / netstat output 8.x vs 7.x

Fri May 14 12:39:08 UTC 2010

On Tue, 11 May 2010 13:24:02 -0700 Julian Elischer wrote:

 JE> On 5/11/10 12:20 PM, Wes Peters wrote:
 >> The output header is instructive:
 >>
 >> USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
 >> www      httpd      18423 3  tcp4 6 *:80                  *:*
 >> www      httpd      18423 4  tcp4   *:*                   *:*
 >> www      httpd      25184 3  tcp4 6 *:80                  *:*
 >> www      httpd      25184 4  tcp4   *:*                   *:*
 >>
 >> Same as 7, it's the foreign address.  This is normally only useful for
 >> connected sockets.
 >>
 >> On Tue, May 11, 2010 at 11:14 AM, Mike Tancsa<mike at sentex.net>  wrote:
 >>> [trying on freebsd-net since no response on stable]
 >>>
 >>> I noticed that apache on RELENG_8 and RELENG_7 shows up with output I cant
 >>> seem to understand from sockstat -l and netstat -naW
 >>>
 >>> On RELENG_7, sockstat -l makes sense to me
 >>> ....
 >>> www      httpd      83005 4  tcp4   *:443                 *:*
 >>> www      httpd      82217 3  tcp4   *:80                  *:*
 >>> www      httpd      82217 4  tcp4   *:443                 *:*
 >>> www      httpd      38942 3  tcp4   *:80                  *:*
 >>> www      httpd      38942 4  tcp4   *:443                 *:*
 >>> root     httpd      1169  3  tcp4   *:80                  *:*
 >>> root     httpd      1169  4  tcp4   *:443                 *:*
 >>>
 >>>
 >>> various processes listening on all bound IP addresses on ports 80 and 443.
 >>>
 >>> On  RELENG_8 however, it shows up with an extra entry (at the end)
 >>>
 >>> www      httpd      29005 4  tcp4   *:*                   *:*
 >>> www      httpd      29004 3  tcp4 6 *:80                  *:*
 >>> www      httpd      29004 4  tcp4   *:*                   *:*
 >>> www      httpd      29003 3  tcp4 6 *:80                  *:*
 >>> www      httpd      29003 4  tcp4   *:*                   *:*
 >>> www      httpd      66731 3  tcp4 6 *:80                  *:*
 >>> www      httpd      66731 4  tcp4   *:*                   *:*
 >>> root     httpd      72197 3  tcp4 6 *:80                  *:*
 >>> root     httpd      72197 4  tcp4   *:*                   *:*
 >>>
 >>>
 >>> *:80 makes sense to me... process is listening on all IPs for port 80.  What
 >>> does *:* mean then ?

 JE> I believe it has created a socket but not used it for anything
 JE> it may be the 6 socket... otherwise I don't see what a "tcp4 6" is
 JE> meant to be.

Comparing RELENG_8 and RELENG_7 outputs it might be for https, which looks
like is not configured on RELENG_8 host. I think socket() was called but no
any other actions with the socket was performed.

 >>>
 >>> Netstat gives a slightly different version of it
 >>>
 >>> Active Internet connections (including servers)
 >>> Proto Recv-Q Send-Q  Local Address          Foreign Address       (state)
 >>> tcp4       0      0 *.1984                 *.*                    LISTEN
 >>> tcp4       0      0 *.*                    *.*                    CLOSED
 >>> tcp46      0      0 *.80                   *.*                    LISTEN
 >>>
 >>> state closed ?

You can reproduce this with this simple program:

zhuzha:~/src/test_socket% cat test.c 
#include <sys/types.h>
#include <sys/socket.h>
#include <errno.h>
#include <unistd.h>
#include <err.h>

int
main(int argc, char **argv)
{
        int                     sockfd;

        if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
                errx(1, "socket error");
        sleep(60);
        return 0;
}

zhuzha:~/src/test_socket% make
cc -g -O0 -Wall  test.c  -o test
zhuzha:~/src/test_socket% ./test&
[1] 56076
zhuzha:~/src/test_socket% sockstat|grep test
golub    test       56076 3  tcp4   *:*                   *:*
zhuzha:~/src/test_socket% netstat -na |grep CLOSED
tcp4       0      0 *.*                    *.*                    CLOSED

-- 
Mikolaj Golub