bin/164081: sockstat not reporting all open sockets

Jim Pirzyk pirzyk at FreeBSD.org
Fri Jan 13 12:40:09 UTC 2012 

>Number:         164081
>Category:       bin
>Synopsis:       sockstat not reporting all open sockets
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 13 12:40:09 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Jim Pirzyk
>Release:        8.2-RELEASE-p3
>Organization:
>Environment:
FreeBSD amigo.home.pirzyk.org 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:45:57 UTC 2011     root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
When using rkhunter one of the FreeBSD specific tests is to compare the output from sockstat with netstat.  The idea is that most rootkits will replace the netstat binary but do not deal with sockstat (since it is FreeBSD specific).  Currently on my machine, netstat is reporting *more* sockets open than sockstat.  One port in particular is port 979, which nlockmgr is running on:

pirzyk at amigo:~/tmp
44>netstat -an | g 979
tcp4       0      0 127.0.0.1.3306         127.0.0.1.47979        TIME_WAIT
tcp4       0      0 *.979                  *.*                    LISTEN
pirzyk at amigo:~/tmp
45>rpcinfo -p | g 979
    100021    0   tcp    979  nlockmgr
    100021    1   tcp    979  nlockmgr
    100021    3   tcp    979  nlockmgr
    100021    4   tcp    979  nlockmgr
pirzyk at amigo:~/tmp
46>sockstat |g 979
pirzyk at amigo:~/tmp
47>

According to the sockstat man page there should be some differences between the two but I believe since port 979 is in LISTEN mode, it should be displayed by sockstat.
>How-To-Repeat:
Simple shell script do to the diff between outputs:

#!/bin/sh

sockstat | awk 'NF == 7 { print $6 } NF == 8 {print $7}' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq > sockstat.out

netstat -an |  awk '{ print $4 }' |grep '[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq > netstat.out

diff -Nru netstat.out sockstat.out
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list