LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-11-2006, 11:53 AM   #1
emersony
LQ Newbie
 
Registered: Nov 2006
Posts: 15

Rep: Reputation: 0
Question netstat -a | wc = 150 ?? wtf


I posted this to a different site's forum and got the very helpful advice not to use the -a switch. gee thanks.

I have several boxes, general running ubuntu, and generally show a normal amount of open sockets, for example a server running a web server, an mta, vpop, named, the works, netstat -a | wc is 49.

However on one machine that is not connected in any way to the internet I am getting 150 open sockets. Some of them are HAL's, which I have way more of on this machine than my other machines, but the rest are all open (unassigned?) unix sockets. I would like to find out where all these connections are coming from. Who knows enough to help with this?

Ok, First, here is the output of ps ax:

PID TTY STAT TIME COMMAND
1 ? S 0:03 init [2]
2 ? SN 0:00 [ksoftirqd/0]
3 ? S 0:00 [watchdog/0]
4 ? S< 0:04 [events/0]
5 ? S< 0:00 [khelper]
6 ? S< 0:00 [kthread]
8 ? S< 0:01 [kblockd/0]
9 ? S< 0:00 [kacpid]
104 ? S 0:00 [pdflush]
105 ? S 0:09 [pdflush]
107 ? S< 0:00 [aio/0]
106 ? S 0:00 [kswapd0]
694 ? S< 0:00 [kseriod]
1790 ? S< 0:00 [khubd]
1861 ? S 1:11 [kjournald]
2094 ? S<s 0:01 /sbin/udevd --daemon
2891 ? S< 0:00 [kgameportd]
2888 ? S 0:00 [shpchpd_event]
3943 ? Ss 0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
3945 ? Ss 0:00 /sbin/klogd -P /var/run/klogd/kmsg
3964 ? Ss 0:00 /usr/bin/dbus-daemon --system
3979 ? Ss 0:04 /usr/sbin/hald
3980 ? S 0:00 hald-runner
3985 ? S 0:00 /usr/lib/hal/hald-addon-acpi
3990 ? S 0:00 /usr/lib/hal/hald-addon-keyboard
3994 ? S 0:00 /usr/lib/hal/hald-addon-keyboard
4043 ? S 0:00 /usr/lib/hal/hald-addon-keyboard
4050 ? S 0:14 /usr/lib/hal/hald-addon-storage
4051 ? R 0:01 /usr/lib/hal/hald-addon-storage
4138 ? S 0:02 python /usr/sbin/hpssd
4365 ? Ss 0:00 /usr/lib/postfix/master
4399 ? Ss 0:13 /usr/sbin/nmbd -D
4419 ? Ss 0:00 /usr/sbin/sshd
4475 ? Ss 0:00 hcid: processing events
4481 ? Ss 0:00 /usr/sbin/sdpd
4490 ? S< 0:00 [krfcommd]
4503 ? Ss 0:00 /sbin/mdadm -F -i /var/run/mdadm.pid -m root -f -s
4537 ? Ss 0:00 /usr/sbin/atd
4550 ? Ss 0:00 /usr/sbin/cron
4902 tty6 Ss+ 0:00 /sbin/getty 38400 tty6
5012 ? S 0:00 qmgr -l -t fifo -u -c
5053 ? Ss 0:00 dhclient3 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp3/dhclient.eth0.leases eth0
5888 ? SNs 0:00 /usr/sbin/acpid -c /etc/acpi/events -s /var/run/acpid.socket
5908 ? SNs 0:00 /usr/sbin/apache2 -k start -DSSL
5911 ? SN 0:00 /usr/sbin/apache2 -k start -DSSL
5912 ? SN 0:00 /usr/sbin/apache2 -k start -DSSL
5913 ? SN 0:00 /usr/sbin/apache2 -k start -DSSL
5915 ? SN 0:00 /usr/sbin/apache2 -k start -DSSL
5916 ? SN 0:00 /usr/sbin/apache2 -k start -DSSL
5938 ? SNs 0:00 /usr/sbin/cupsd
8561 ? SNs 0:00 /sbin/syslogd -u syslog
8730 tty3 Ss 0:00 /bin/login --
8740 tty4 Ss 0:00 /bin/login --
8982 tty5 Ss 0:00 /bin/login --
9002 tty2 Ss 0:00 /bin/login --
9117 tty1 Ss 0:00 /bin/login --
9124 tty1 S 0:00 -bash
9147 tty1 S 0:00 bash
9165 tty1 S 0:00 bash
9305 ? Ss 0:00 /usr/sbin/dhcpd3 -q eth1
9501 ? S 0:00 pickup -l -t fifo -u -c
9503 tty3 S+ 0:00 -bash
9573 tty3 R+ 0:00 ps ax

so what is causing all this: (netstat -a)

Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 9725 @/tmp/hald-runner/dbus-oPctzej4tC
unix 2 [ ACC ] STREAM LISTENING 14665 /var/run/acpid.socket
unix 2 [ ] DGRAM 4877 @/org/kernel/udev/udevd
unix 2 [ ACC ] STREAM LISTENING 10712 public/cleanup
unix 2 [ ACC ] STREAM LISTENING 10719 private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 10733 private/rewrite
unix 2 [ ] DGRAM 9733 @/org/freedesktop/hal/udev_event
unix 2 [ ACC ] STREAM LISTENING 10737 private/bounce
unix 2 [ ACC ] STREAM LISTENING 10741 private/defer
unix 2 [ ACC ] STREAM LISTENING 10745 private/trace
unix 2 [ ACC ] STREAM LISTENING 10749 private/verify
unix 2 [ ACC ] STREAM LISTENING 10753 public/flush
unix 2 [ ACC ] STREAM LISTENING 10757 private/proxymap
unix 2 [ ACC ] STREAM LISTENING 10761 private/smtp
unix 2 [ ACC ] STREAM LISTENING 10765 private/relay
unix 2 [ ACC ] STREAM LISTENING 10769 public/showq
unix 2 [ ACC ] STREAM LISTENING 10773 private/error
unix 2 [ ACC ] STREAM LISTENING 10777 private/discard
unix 2 [ ACC ] STREAM LISTENING 10781 private/local
unix 2 [ ACC ] STREAM LISTENING 10785 private/virtual
unix 2 [ ACC ] STREAM LISTENING 10789 private/lmtp
unix 2 [ ACC ] STREAM LISTENING 10793 private/anvil
unix 2 [ ACC ] STREAM LISTENING 10797 private/scache
unix 2 [ ACC ] STREAM LISTENING 10801 private/maildrop
unix 2 [ ACC ] STREAM LISTENING 10805 private/uucp
unix 2 [ ACC ] STREAM LISTENING 10809 private/ifmail
unix 2 [ ACC ] STREAM LISTENING 10813 private/bsmtp
unix 2 [ ACC ] STREAM LISTENING 10817 private/scalemail-backend
unix 2 [ ACC ] STREAM LISTENING 10821 private/mailman
unix 5 [ ] DGRAM 15830 /dev/log
unix 2 [ ACC ] STREAM LISTENING 9724 @/tmp/hald-local/dbus-fXtUh6DGAP
unix 2 [ ACC ] STREAM LISTENING 9701 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 10992 /var/run/sdp
unix 2 [ ] DGRAM 16185
unix 2 [ ] DGRAM 16178
unix 2 [ ] DGRAM 16013
unix 2 [ ] DGRAM 15516
unix 3 [ ] STREAM CONNECTED 14747 /var/run/acpid.socket
unix 3 [ ] STREAM CONNECTED 14746
unix 2 [ ] DGRAM 13937
unix 2 [ ] DGRAM 13880
unix 2 [ ] DGRAM 13059
unix 2 [ ] DGRAM 12468
unix 2 [ ] DGRAM 12389
unix 3 [ ] STREAM CONNECTED 12387
unix 3 [ ] STREAM CONNECTED 12386
unix 3 [ ] STREAM CONNECTED 12385
unix 3 [ ] STREAM CONNECTED 12384
unix 3 [ ] STREAM CONNECTED 12383
unix 3 [ ] STREAM CONNECTED 12382
unix 3 [ ] STREAM CONNECTED 12381
unix 3 [ ] STREAM CONNECTED 12380
unix 3 [ ] STREAM CONNECTED 12379
unix 3 [ ] STREAM CONNECTED 12378
unix 3 [ ] STREAM CONNECTED 12377
unix 3 [ ] STREAM CONNECTED 12376
unix 3 [ ] STREAM CONNECTED 12375
unix 3 [ ] STREAM CONNECTED 12374
unix 3 [ ] STREAM CONNECTED 12373
unix 3 [ ] STREAM CONNECTED 12372
unix 3 [ ] STREAM CONNECTED 12371
unix 3 [ ] STREAM CONNECTED 12370
unix 3 [ ] STREAM CONNECTED 12369
unix 3 [ ] STREAM CONNECTED 12368
unix 3 [ ] STREAM CONNECTED 12367
unix 3 [ ] STREAM CONNECTED 12366
unix 3 [ ] STREAM CONNECTED 12365
unix 3 [ ] STREAM CONNECTED 12364
unix 3 [ ] STREAM CONNECTED 12363
unix 3 [ ] STREAM CONNECTED 12362
unix 3 [ ] STREAM CONNECTED 12361
unix 3 [ ] STREAM CONNECTED 12360
unix 3 [ ] STREAM CONNECTED 12359
unix 3 [ ] STREAM CONNECTED 12358
unix 3 [ ] STREAM CONNECTED 12357
unix 3 [ ] STREAM CONNECTED 12356
unix 3 [ ] STREAM CONNECTED 12355
unix 3 [ ] STREAM CONNECTED 12354
unix 3 [ ] STREAM CONNECTED 12353
unix 3 [ ] STREAM CONNECTED 12352
unix 3 [ ] STREAM CONNECTED 12351
unix 3 [ ] STREAM CONNECTED 12350
unix 3 [ ] STREAM CONNECTED 12349
unix 3 [ ] STREAM CONNECTED 12348
unix 3 [ ] STREAM CONNECTED 12347
unix 3 [ ] STREAM CONNECTED 12346
unix 3 [ ] STREAM CONNECTED 12345
unix 3 [ ] STREAM CONNECTED 12344
unix 3 [ ] STREAM CONNECTED 12343
unix 3 [ ] STREAM CONNECTED 12342
unix 3 [ ] STREAM CONNECTED 12341
unix 3 [ ] STREAM CONNECTED 12340
unix 3 [ ] STREAM CONNECTED 12339
unix 3 [ ] STREAM CONNECTED 12338
unix 3 [ ] STREAM CONNECTED 12337
unix 3 [ ] STREAM CONNECTED 12336
unix 3 [ ] STREAM CONNECTED 12335
unix 3 [ ] STREAM CONNECTED 12334
unix 3 [ ] STREAM CONNECTED 12333
unix 3 [ ] STREAM CONNECTED 12332
unix 2 [ ] DGRAM 12125
unix 2 [ ] DGRAM 10984
unix 3 [ ] STREAM CONNECTED 10983 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 10982
unix 2 [ ] DGRAM 10965
unix 2 [ ] DGRAM 10697
unix 2 [ ] DGRAM 10194
unix 3 [ ] STREAM CONNECTED 10064 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 10063
unix 3 [ ] STREAM CONNECTED 10050 @/tmp/hald-local/dbus-fXtUh6DGAP
unix 3 [ ] STREAM CONNECTED 10049
unix 3 [ ] STREAM CONNECTED 10040 @/tmp/hald-local/dbus-fXtUh6DGAP
unix 3 [ ] STREAM CONNECTED 10039
unix 3 [ ] STREAM CONNECTED 10010 @/tmp/hald-local/dbus-fXtUh6DGAP
unix 3 [ ] STREAM CONNECTED 10005
unix 3 [ ] STREAM CONNECTED 9889 @/tmp/hald-local/dbus-fXtUh6DGAP
unix 3 [ ] STREAM CONNECTED 9888
unix 3 [ ] STREAM CONNECTED 9885 @/tmp/hald-local/dbus-fXtUh6DGAP
unix 3 [ ] STREAM CONNECTED 9882
unix 3 [ ] STREAM CONNECTED 9857 @/tmp/hald-local/dbus-fXtUh6DGAP
unix 3 [ ] STREAM CONNECTED 9848
unix 3 [ ] STREAM CONNECTED 9728 @/tmp/hald-runner/dbus-oPctzej4tC
unix 3 [ ] STREAM CONNECTED 9727
unix 3 [ ] STREAM CONNECTED 9704
unix 3 [ ] STREAM CONNECTED 9703


I don't know why all that mail stuff would be running, since I'm not using any MTA, and the HAL stuff isn't opening all those connections on my other machines. Finally that whole run of open unix sockets is just sick, what's up with that?

Any knowledge of this would be greatly appreciated.

-Emerson
 
Old 12-11-2006, 12:00 PM   #2
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,028
Blog Entries: 5

Rep: Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790
sockets are used not only for external communications but also for within the box communications for some applications.

For specific ports you can use lsof to determine which process is actually using it:

lsof -i :<portnumber> (You could do this for each of the netstat -a ports shown).

Alternatively you could get the ports each process is using with lsof:

lsof -p <pid>

Of you could just do "lsof |grep :" because only the sockets will show up that way.
 
Old 12-11-2006, 12:03 PM   #3
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Why are you checking UNIX domain sockets any way? Those aren't external connections, those are all InterProcess Communication.

If you want just IP sockets, do
Code:
$ netstat -anA inet
If you really must know what all those UNIX sockets are from, use lsof.
 
Old 12-11-2006, 12:07 PM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
PS You are running an MTA. It's probably not bound to an external interface, though.

Code:
4365 ? Ss 0:00 /usr/lib/postfix/master
...
unix 2 [ ACC ] STREAM LISTENING 10712 public/cleanup
unix 2 [ ACC ] STREAM LISTENING 10719 private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 10733 private/rewrite
...
unix 2 [ ACC ] STREAM LISTENING 10737 private/bounce
unix 2 [ ACC ] STREAM LISTENING 10741 private/defer
unix 2 [ ACC ] STREAM LISTENING 10745 private/trace
unix 2 [ ACC ] STREAM LISTENING 10749 private/verify
unix 2 [ ACC ] STREAM LISTENING 10753 public/flush
unix 2 [ ACC ] STREAM LISTENING 10757 private/proxymap
unix 2 [ ACC ] STREAM LISTENING 10761 private/smtp
unix 2 [ ACC ] STREAM LISTENING 10765 private/relay
unix 2 [ ACC ] STREAM LISTENING 10769 public/showq
unix 2 [ ACC ] STREAM LISTENING 10773 private/error
unix 2 [ ACC ] STREAM LISTENING 10777 private/discard
unix 2 [ ACC ] STREAM LISTENING 10781 private/local
unix 2 [ ACC ] STREAM LISTENING 10785 private/virtual
unix 2 [ ACC ] STREAM LISTENING 10789 private/lmtp
unix 2 [ ACC ] STREAM LISTENING 10793 private/anvil
unix 2 [ ACC ] STREAM LISTENING 10797 private/scache
unix 2 [ ACC ] STREAM LISTENING 10801 private/maildrop
unix 2 [ ACC ] STREAM LISTENING 10805 private/uucp
unix 2 [ ACC ] STREAM LISTENING 10809 private/ifmail
unix 2 [ ACC ] STREAM LISTENING 10813 private/bsmtp
unix 2 [ ACC ] STREAM LISTENING 10817 private/scalemail-backend
unix 2 [ ACC ] STREAM LISTENING 10821 private/mailman
 
Old 12-12-2006, 08:47 AM   #5
emersony
LQ Newbie
 
Registered: Nov 2006
Posts: 15

Original Poster
Rep: Reputation: 0
re: netstat -a | wc = 150 .... wtf ?!

Quote:
If you really must know what all those UNIX sockets are from, use lsof.
Actually, yeah, I'd kinda like to know what my machine is doing, especially since other versions of this same distro aren't making 100+ unknown connections, to say nothing of debian sarge, or that Valhalla install i checked just for giggles.

But how to lsof them since netstat doesn't list their ports, just their inodes? I suppose I could write a script to lsof every single pid, but is there a better way?

Also, how do I cull all those MTA sockets? As you can see from ps ax, there really is no MTA running-- I don't even think system messages are getting mailed, so not sure what process those (MTA) sockets are even bound to, and again it just gives their inodes, not the ports. "lsof -i :25" was not helpful.

Again I have a number of machines, but it is only the "Dapper Drake" one that has even close to that many open sockets, and I would like to see what the heck they are doing!

appreciatively,

Emerson
 
Old 12-12-2006, 02:26 PM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
There is an MTA running: 4365 ? Ss 0:00 /usr/lib/postfix/master. It might not be bound to an IP on an external interface, but it's running none-the-less. Every UNIX system needs some method to submit mail for local users, so cron and other utilities can mail reports.

Did you try looking at the output of
Code:
# lsof -U
?
 
  


Reply

Tags
hal, netstat, sockets, unix


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
netstat Smooth Solaris / OpenSolaris 4 11-17-2006 01:30 AM
netstat -s r_213 Linux - Networking 2 01-27-2005 07:45 AM
netstat -i r_213 Linux - Networking 4 09-09-2004 07:10 AM
What does this netstat output mean? Kovacs Linux - Security 2 01-25-2004 07:32 PM
netstat sopiaz57 Linux - Networking 1 10-14-2003 04:39 PM


All times are GMT -5. The time now is 03:22 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration