What is TCP orphan in in /proc/net/sockstat
 

Hello all,

Does anyone know what orphan field for TCP is in /proc/net/sockstat?

I search the web, and best I can find is some guesses that it's established TCP connections "not attached to any file handle".

Does anyone know more specifically what it is? E.g. if I were programming, how would I go about generating orphans? (Not that I want to accomplish it, just curious).

Also, any input on other fields in that file would be golden.

Thanks

May be this is the explanation (I may be wrong)
 

I'm not an expert of kernel code... but that number came from tcp_orphan_count
(ref: http://forums13.itrc.hp.com/service/...readId=1089165 )

net/ipv4/proc.c in a 2.6 kernel. At line 56-66 the following code:
few usage I got are these (find in file): (kernel 2.6.15.5)

in tcp.c file:
so tcp_orphan_count it is a global counter variable initialized to 0 (in tcp_ipv4.c)



and this .orphan_count is replicated in each socket struct variable's sk->sk_prot member variable.


This global variable is incremented in listen call in function inet_csk_listen_stop(struct sock *sk) as:
and this function internally calls inet_csk_destroy_sock() given below,

It is decremented in inet_csk_destroy_sock(struct sock *sk):

So the global tcp orphan counter will increase only if during this synchronization is lost , due to bug/assert failure or due to TCP out of memory when malloc() fails somewhere and the socket is terminated prematurely .


There is a internal TCP timer that checks for some bug/error, and if it finds that the Orphan counter EXCEEDED a preconfigured limit then it starts to reclaim some memory by freeing some unused sockets.

One comment I found that highlights above point (in tcp_timer.c)



So to manually create orphan socket requires direct/indirect tampering of skb structure or DoS attack ( http://en.wikipedia.org/wiki/Denial-of-service_attack).