bin/164081: sockstat not reporting all open sockets

Fri, 13 Jan 2012 04:40:25 -0800 

>Number:         164081
>Category:       bin
>Synopsis:       sockstat not reporting all open sockets
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 13 12:40:09 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Jim Pirzyk
>Release:        8.2-RELEASE-p3
>Organization:
>Environment:
FreeBSD amigo.home.pirzyk.org 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 
27 18:45:57 UTC 2011     
r...@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
When using rkhunter one of the FreeBSD specific tests is to compare the output 
from sockstat with netstat.  The idea is that most rootkits will replace the 
netstat binary but do not deal with sockstat (since it is FreeBSD specific).  
Currently on my machine, netstat is reporting *more* sockets open than 
sockstat.  One port in particular is port 979, which nlockmgr is running on:

pirzyk@amigo:~/tmp
44>netstat -an | g 979
tcp4       0      0 127.0.0.1.3306         127.0.0.1.47979        TIME_WAIT
tcp4       0      0 *.979                  *.*                    LISTEN
pirzyk@amigo:~/tmp
45>rpcinfo -p | g 979
    100021    0   tcp    979  nlockmgr
    100021    1   tcp    979  nlockmgr
    100021    3   tcp    979  nlockmgr
    100021    4   tcp    979  nlockmgr
pirzyk@amigo:~/tmp
46>sockstat |g 979
pirzyk@amigo:~/tmp
47>

According to the sockstat man page there should be some differences between the 
two but I believe since port 979 is in LISTEN mode, it should be displayed by 
sockstat.
>How-To-Repeat:
Simple shell script do to the diff between outputs:

#!/bin/sh

sockstat | awk 'NF == 7 { print $6 } NF == 8 {print $7}' |grep 
'[:.][0-9][0-9]*$' | sed -e 's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq > 
sockstat.out

netstat -an |  awk '{ print $4 }' |grep '[:.][0-9][0-9]*$' | sed -e 
's/^.*[:.]\([0-9]*\)$/\1/' | sort | uniq > netstat.out

diff -Nru netstat.out sockstat.out
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

Reply via email to