Socket leak

Mark Saad msaad at
Wed May 14 21:03:39 UTC 2008

    I looked at netstat and I do not have this many sockets TCP or UNIX.

Wed May 14 16:58:37 EDT 2008
ewr# sysctl kern.ipc.numopensockets && netstat -an -p tcp | wc -l &&
sockstat -u |wc -l
kern.ipc.numopensockets: 15903

ewr# sockstat -46lu | wc -l

Running your script I can only find 1 matching 0 count socket .

I also shutdown proftpd and left it down for 10 mins and I did not see
the number of sockets drop at all.

Any ideas ?

Mikolaj Golub wrote:
> On Wed, 14 May 2008 09:46:35 -0400 Mark Saad wrote:
>  MS> Mikolaj
>  MS>   Thanks for the input, did you change any of the options for
>  MS> TimeoutLinger or TimeoutIdle ?
> No, I didn't
>  MS> The Proftpd I am running is build for 6.3-RELEASE  here are the build
>  MS> options
>  MS> Compile-time Settings:
>  MS>  Version: 1.3.0a
>  MS>  Platform: FREEBSD6 (FREEBSD6_3)
>  MS>  Built With:
>  MS>    configure CPPFLAGS=-DHAVE_OPENSSL --localstatedir=/var/run
>  MS> --disable-sendfile --disable-ipv6
>  MS> --with-modules=mod_sql:mod_sql_mysql:mod_check_mysql:mod_check_digest
>  MS> --prefix=/usr/local
>  MS> --with-includes=/usr/local/include/mysql:/usr/include/openssl
>  MS> --with-libraries=/usr/local/lib/mysql
> It might be that it is not proftpd but other application that cause the leak.
> Anyway, to check if it is proftpd, look in its logs for entries like these:
>   Entering Passive Mode (192,168,0,213,241,70).
>   FTP session closed.
> Convert the last two numbers to port (241*256+70) and check by netstat if you
> still have this connection. If you have, then it is likely this is the same
> situation as in my case and the proftpd is a problem. Upgrade to 1.3.1 from
> ports then.
> If proftpd is ok, look for other applications. Search for connections reported
> by netstat as ESTABLISHED but not displayed by sockstat utility. You could run
> something like this:
> netstat -an | grep ESTABL |
> while read b l a local remote state; do
>     echo -n "$local $remote: "
>     sockstat |
>     sed -e 's/:/./g' |
>     grep -c "$local *$remote"
> done
> Look for sockets with 0 count. These are suspicious ones. Observe these
> sockets by netstat and try to figure out what application they could belong
> and dig in that direction.
> --
> Mikolaj Golub
> _______________________________________________
> freebsd-hackers at mailing list
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at"

Mark Saad
Managed UNIX Support
DataPipe Managed Global IT Services
msaad at
1.201.792.4847 (international)
1.888.749.5821 (toll free)

()  ascii ribbon campaign - against html e-mail
/\   - against proprietary attachments

This message may contain confidential or privileged information.  If you are not the intended recipient, please advise us immediately and delete this message.  See for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you.

More information about the freebsd-hackers mailing list