Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

netstat, udev and close_wait Questions -- should I worry?

Discussion in 'General Discussion' started by orty, Mar 12, 2008.

  1. orty

    orty Well-Known Member

    Joined:
    Jun 29, 2004
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Bend, Oregon
    cPanel Access Level:
    Root Administrator
    OK, network gurus out there. I ran a netstat -p command on a client's server after noticing a high load (which has since gone down). There were a bunch of open TCP/IP connections to a specific IP addrress. I got a bunch of normal stuff, but also got a ton of these:

    Code:
    tcp        1      0 myserver.blahblah.net:39782      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39780      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39781      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39778      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39779      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39776      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39777      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39798      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39797      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39794      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39795      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39807      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39804      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39805      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39802      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39803      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39800      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39801      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39774      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39775      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39772      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39773      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39771      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39810      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39808      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39809      someother.random.net:http   CLOSE_WAIT  31946/udevd
    [I]snip[/I]
    There was about 110 lines of that. Can somebody tell me how to read this: Is my server connecting to port 80 on that server or is that server trying to connect to mine a thousand times on different ports? Just need to know if I should be emailing their abuse folks or if I should be looking to something on my server?

    I guess what worries me is that they are udev processes and not like an apache process or something.

    Ideas?
    -jake

    Edit: OK, just got an email back from the folks who own the IP range of the other server, and apparently that server is a CentOS distro mirror (ftp://69.41.160.250/centos). My server shouldn't be actively updating itself right now (it is a CentOS 5 server so it makes sense) and especially with that many open connections. Would explain the udevd, however.

    Any easy way to kill off the close_wait connections and find out why the system is making that many connections to the same server?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 orty, Mar 12, 2008
    Last edited: Mar 12, 2008
Loading...
Similar Threads - netstat udev close_wait
  1. domainerq
    Replies:
    2
    Views:
    728

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice