Socket leak
Mikolaj Golub
to.my.trociny at gmail.com
Wed May 14 19:18:52 UTC 2008
On Wed, 14 May 2008 09:46:35 -0400 Mark Saad wrote:
MS> Mikolaj
MS> Thanks for the input, did you change any of the options for
MS> TimeoutLinger or TimeoutIdle ?
No, I didn't
MS> The Proftpd I am running is build for 6.3-RELEASE here are the build
MS> options
MS> Compile-time Settings:
MS> Version: 1.3.0a
MS> Platform: FREEBSD6 (FREEBSD6_3)
MS> Built With:
MS> configure CPPFLAGS=-DHAVE_OPENSSL --localstatedir=/var/run
MS> --disable-sendfile --disable-ipv6
MS> --with-modules=mod_sql:mod_sql_mysql:mod_check_mysql:mod_check_digest
MS> --prefix=/usr/local
MS> --with-includes=/usr/local/include/mysql:/usr/include/openssl
MS> --with-libraries=/usr/local/lib/mysql
It might be that it is not proftpd but other application that cause the leak.
Anyway, to check if it is proftpd, look in its logs for entries like these:
Entering Passive Mode (192,168,0,213,241,70).
FTP session closed.
Convert the last two numbers to port (241*256+70) and check by netstat if you
still have this connection. If you have, then it is likely this is the same
situation as in my case and the proftpd is a problem. Upgrade to 1.3.1 from
ports then.
If proftpd is ok, look for other applications. Search for connections reported
by netstat as ESTABLISHED but not displayed by sockstat utility. You could run
something like this:
netstat -an | grep ESTABL |
while read b l a local remote state; do
echo -n "$local $remote: "
sockstat |
sed -e 's/:/./g' |
grep -c "$local *$remote"
done
Look for sockets with 0 count. These are suspicious ones. Observe these
sockets by netstat and try to figure out what application they could belong
and dig in that direction.
--
Mikolaj Golub
More information about the freebsd-hackers
mailing list