Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I posted this to a different site's forum and got the very helpful advice not to use the -a switch. gee thanks.
I have several boxes, general running ubuntu, and generally show a normal amount of open sockets, for example a server running a web server, an mta, vpop, named, the works, netstat -a | wc is 49.
However on one machine that is not connected in any way to the internet I am getting 150 open sockets. Some of them are HAL's, which I have way more of on this machine than my other machines, but the rest are all open (unassigned?) unix sockets. I would like to find out where all these connections are coming from. Who knows enough to help with this?
Ok, First, here is the output of ps ax:
PID TTY STAT TIME COMMAND
1 ? S 0:03 init 
2 ? SN 0:00 [ksoftirqd/0]
3 ? S 0:00 [watchdog/0]
4 ? S< 0:04 [events/0]
5 ? S< 0:00 [khelper]
6 ? S< 0:00 [kthread]
8 ? S< 0:01 [kblockd/0]
9 ? S< 0:00 [kacpid]
104 ? S 0:00 [pdflush]
105 ? S 0:09 [pdflush]
107 ? S< 0:00 [aio/0]
106 ? S 0:00 [kswapd0]
694 ? S< 0:00 [kseriod]
1790 ? S< 0:00 [khubd]
1861 ? S 1:11 [kjournald]
2094 ? S<s 0:01 /sbin/udevd --daemon
2891 ? S< 0:00 [kgameportd]
2888 ? S 0:00 [shpchpd_event]
3943 ? Ss 0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
3945 ? Ss 0:00 /sbin/klogd -P /var/run/klogd/kmsg
3964 ? Ss 0:00 /usr/bin/dbus-daemon --system
3979 ? Ss 0:04 /usr/sbin/hald
3980 ? S 0:00 hald-runner
3985 ? S 0:00 /usr/lib/hal/hald-addon-acpi
3990 ? S 0:00 /usr/lib/hal/hald-addon-keyboard
3994 ? S 0:00 /usr/lib/hal/hald-addon-keyboard
4043 ? S 0:00 /usr/lib/hal/hald-addon-keyboard
4050 ? S 0:14 /usr/lib/hal/hald-addon-storage
4051 ? R 0:01 /usr/lib/hal/hald-addon-storage
4138 ? S 0:02 python /usr/sbin/hpssd
4365 ? Ss 0:00 /usr/lib/postfix/master
4399 ? Ss 0:13 /usr/sbin/nmbd -D
4419 ? Ss 0:00 /usr/sbin/sshd
4475 ? Ss 0:00 hcid: processing events
4481 ? Ss 0:00 /usr/sbin/sdpd
4490 ? S< 0:00 [krfcommd]
4503 ? Ss 0:00 /sbin/mdadm -F -i /var/run/mdadm.pid -m root -f -s
4537 ? Ss 0:00 /usr/sbin/atd
4550 ? Ss 0:00 /usr/sbin/cron
4902 tty6 Ss+ 0:00 /sbin/getty 38400 tty6
5012 ? S 0:00 qmgr -l -t fifo -u -c
5053 ? Ss 0:00 dhclient3 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp3/dhclient.eth0.leases eth0
5888 ? SNs 0:00 /usr/sbin/acpid -c /etc/acpi/events -s /var/run/acpid.socket
5908 ? SNs 0:00 /usr/sbin/apache2 -k start -DSSL
5911 ? SN 0:00 /usr/sbin/apache2 -k start -DSSL
5912 ? SN 0:00 /usr/sbin/apache2 -k start -DSSL
5913 ? SN 0:00 /usr/sbin/apache2 -k start -DSSL
5915 ? SN 0:00 /usr/sbin/apache2 -k start -DSSL
5916 ? SN 0:00 /usr/sbin/apache2 -k start -DSSL
5938 ? SNs 0:00 /usr/sbin/cupsd
8561 ? SNs 0:00 /sbin/syslogd -u syslog
8730 tty3 Ss 0:00 /bin/login --
8740 tty4 Ss 0:00 /bin/login --
8982 tty5 Ss 0:00 /bin/login --
9002 tty2 Ss 0:00 /bin/login --
9117 tty1 Ss 0:00 /bin/login --
9124 tty1 S 0:00 -bash
9147 tty1 S 0:00 bash
9165 tty1 S 0:00 bash
9305 ? Ss 0:00 /usr/sbin/dhcpd3 -q eth1
9501 ? S 0:00 pickup -l -t fifo -u -c
9503 tty3 S+ 0:00 -bash
9573 tty3 R+ 0:00 ps ax
I don't know why all that mail stuff would be running, since I'm not using any MTA, and the HAL stuff isn't opening all those connections on my other machines. Finally that whole run of open unix sockets is just sick, what's up with that?
Any knowledge of this would be greatly appreciated.
If you really must know what all those UNIX sockets are from, use lsof.
Actually, yeah, I'd kinda like to know what my machine is doing, especially since other versions of this same distro aren't making 100+ unknown connections, to say nothing of debian sarge, or that Valhalla install i checked just for giggles.
But how to lsof them since netstat doesn't list their ports, just their inodes? I suppose I could write a script to lsof every single pid, but is there a better way?
Also, how do I cull all those MTA sockets? As you can see from ps ax, there really is no MTA running-- I don't even think system messages are getting mailed, so not sure what process those (MTA) sockets are even bound to, and again it just gives their inodes, not the ports. "lsof -i :25" was not helpful.
Again I have a number of machines, but it is only the "Dapper Drake" one that has even close to that many open sockets, and I would like to see what the heck they are doing!
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
There is an MTA running: 4365 ? Ss 0:00 /usr/lib/postfix/master. It might not be bound to an IP on an external interface, but it's running none-the-less. Every UNIX system needs some method to submit mail for local users, so cron and other utilities can mail reports.