# Sockstat and netstat shows different info



## prox (Jan 30, 2013)

Hello everyone,

We have web server (apache22) that is working more than year stable without any problem.
Last week I have observed big increse in web connection count.


```
/usr/bin/netstat -an | /usr/bin/grep ".80  " | /usr/bin/grep "ESTABLISHED" | /usr/bin/wc -l
     134
```

In the same moment if I check with sockstat, picture is different.

```
sockstat -4c | grep www | wc -l
      19
```

Apache processess:

```
#ps auxwww | grep httpd
www         48988   9.0  1.4 308620  44448  ??  S    11:35AM      0:01.35 /usr/local/sbin/httpd
www         48956   2.0  1.4 308620  44528  ??  S    11:35AM      0:00.53 /usr/local/sbin/httpd
www         48976   2.0  1.4 308620  42872  ??  S    11:35AM      0:00.58 /usr/local/sbin/httpd
www         48949   1.0  1.4 308620  43604  ??  S    11:35AM      0:00.69 /usr/local/sbin/httpd
root         5562   0.0  0.5 300428  16084  ??  Ss    7:41PM      0:57.60 /usr/local/sbin/httpd
www         48857   0.0  1.5 308620  47096  ??  S    11:33AM      0:02.24 /usr/local/sbin/httpd
www         48914   0.0  1.4 308620  44332  ??  S    11:34AM      0:00.71 /usr/local/sbin/httpd
www         48926   0.0  1.5 308620  46792  ??  S    11:34AM      0:01.62 /usr/local/sbin/httpd
www         48940   0.0  1.4 308620  44608  ??  S    11:35AM      0:01.73 /usr/local/sbin/httpd
www         48945   0.0  1.4 308620  44036  ??  S    11:35AM      0:00.34 /usr/local/sbin/httpd
www         48964   0.0  1.4 308620  42988  ??  S    11:35AM      0:00.16 /usr/local/sbin/httpd
www         48970   0.0  1.5 312900  47628  ??  S    11:35AM      0:00.52 /usr/local/sbin/httpd
www         48972   0.0  1.4 308620  44304  ??  S    11:35AM      0:00.29 /usr/local/sbin/httpd
www         48974   0.0  1.4 308620  44244  ??  S    11:35AM      0:00.33 /usr/local/sbin/httpd
www         48982   0.0  0.5 300428  16564  ??  S    11:35AM      0:00.03 /usr/local/sbin/httpd
www         48987   0.0  1.4 308620  43208  ??  S    11:35AM      0:00.30 /usr/local/sbin/httpd
www         48990   0.0  1.4 308620  43988  ??  S    11:35AM      0:00.31 /usr/local/sbin/httpd
www         49009   0.0  0.5 300428  16112  ??  S    11:36AM      0:00.00 /usr/local/sbin/httpd
root        49011   0.0  0.0  16424   1540   1  S+   11:36AM      0:00.00 grep httpd
#
```

Also netstat show some info, but I dont understand the message (some coloumn are ommited):

```
# netstat -anx
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address R-LOWA S-LOWA R-BCNT S-BCNT R-BMAX S-BMAX   rexmt persist    keep    2msl  delack rcvtime
tcp4       0   1497 WEB-SERVER-IP.80       x.x.x.x33974      16652      0   6656 532864 266432    0.23    0.00 7199.96    0.00    0.00    0.04
tcp4       0     24 WEB-SERVER-IP.80       x.x.x.x1767        2048      0   4352 525600 268640    0.53    0.00 7199.99    0.00    0.00    0.01
tcp4       0      0 WEB-SERVER-IP.80       x.x.x.x.4052       2048      0      0 525600 268640    0.00    0.00 7197.07    0.00    0.00    2.93
tcp4       0      0 WEB-SERVER-IP.80       x.x.x.x.46688      2048      0      0 532864 266432    0.00    0.00    0.00    0.00    0.00    0.00
tcp4       0      0 WEB-SERVER-IP.80       x.x.x.x.46685      2048      0      0 532864 266432    0.00    0.00    0.00    0.00    0.00    0.00
...                                                        
tcp4       0      0 WEB-SERVER-IP.80       x.x.x.x.46687      2048      0      0 532864 266432    0.00    0.00    0.00    0.00    0.00    0.00
tcp4       0      0 WEB-SERVER-IP.80       x.x.x.x0.33269     2048      0      0 525648 268416    0.00    0.00 7193.47   45.40    0.00    6.53
tcp4       0      0 WEB-SERVER-IP.80       x.x.x.x.3902       2048      0      0 525600 268640    0.00    0.00 7157.92   19.91    0.00   42.08
tcp4       0      0 WEB-SERVER-IP.80       x.x.x.x901         2048      0      0 525600 268640    0.00    0.00 6875.73    0.00    0.00  324.27
...                                                        
tcp4       0      0 WEB-SERVER-IP.80       x.x.x.x6.19208     2048      0      0 525888 262944    0.00    0.00 6223.68    0.00    0.00  976.32
...                                                        
tcp4       0      0 WEB-SERVER-IP.80       x.x.x.x0189        2048      0      0 525600 268640    0.00    0.00 6212.61    0.00    0.00  987.39
...                                                        
tcp4       0      0 WEB-SERVER-IP.80       x.x.x.x4.7194      2048      0      0 525600 268640    0.00    0.00 4608.83    0.00    0.00 2591.17
...                                                        
tcp4       0      0 WEB-SERVER-IP.80       x.x.x.x.49227      2048      0      0 525600 268640    0.00    0.00  682.35    0.00    0.00 6517.65
tcp4       0      0 WEB-SERVER-IP.80       x.x.x.x.17870      2048      0      0 525888 262944    0.00    0.00  183.50    0.00    0.00 7016.50
...                                                        
tcp4       0      0 WEB-SERVER-IP.80       x.x.x.x.42691      2048      0      0 525600 268640    0.00    0.00 7123.30    0.00    0.00   76.70
...
```

System is stable:

```
last pid: 49416;  load averages:  0.56,  0.43,  0.36                                                              up 71+01:34:36  11:42:56
80 processes:  1 running, 78 sleeping, 1 zombie
CPU:  0.5% user,  0.0% nice,  4.5% system,  0.0% interrupt, 95.0% idle
```


```
# uname -a
FreeBSD esx3.mydomain.com 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jun 12 02:52:29 UTC 2012     
root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
```

The IPFW have rule:

```
$cmd 01080 allow tcp from any to me 80 in via $extern setup limit src-addr 20
```

What can be the cause of information difference and what can be done to prevent any service disturbance?

ps: sorry for long netstat output


----------



## SirDice (Jan 30, 2013)

Last week I've seen a large increase of scans looking for vulnerable PHPMyAdmin installations. That may be the cause. It may also be spam related, on another board I moderate we're getting a huge increase in spam accounts being created since the beginning of the year.


----------



## prox (Jan 30, 2013)

Problem is not large number of connection, but difference in sockstat/netstat output.


----------

