The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

netstat, udev and close_wait Questions -- should I worry?

Discussion in 'General Discussion' started by orty, Mar 12, 2008.

  1. orty

    orty Well-Known Member

    Joined:
    Jun 29, 2004
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bend, Oregon
    cPanel Access Level:
    Root Administrator
    OK, network gurus out there. I ran a netstat -p command on a client's server after noticing a high load (which has since gone down). There were a bunch of open TCP/IP connections to a specific IP addrress. I got a bunch of normal stuff, but also got a ton of these:

    Code:
    tcp        1      0 myserver.blahblah.net:39782      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39780      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39781      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39778      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39779      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39776      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39777      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39798      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39797      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39794      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39795      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39807      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39804      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39805      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39802      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39803      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39800      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39801      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39774      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39775      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39772      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39773      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39771      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39810      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39808      someother.random.net:http   CLOSE_WAIT  31946/udevd
    tcp        1      0 myserver.blahblah.net:39809      someother.random.net:http   CLOSE_WAIT  31946/udevd
    [I]snip[/I]
    There was about 110 lines of that. Can somebody tell me how to read this: Is my server connecting to port 80 on that server or is that server trying to connect to mine a thousand times on different ports? Just need to know if I should be emailing their abuse folks or if I should be looking to something on my server?

    I guess what worries me is that they are udev processes and not like an apache process or something.

    Ideas?
    -jake

    Edit: OK, just got an email back from the folks who own the IP range of the other server, and apparently that server is a CentOS distro mirror (ftp://69.41.160.250/centos). My server shouldn't be actively updating itself right now (it is a CentOS 5 server so it makes sense) and especially with that many open connections. Would explain the udevd, however.

    Any easy way to kill off the close_wait connections and find out why the system is making that many connections to the same server?
     
    #1 orty, Mar 12, 2008
    Last edited: Mar 12, 2008
Loading...
Similar Threads - netstat udev close_wait
  1. amiralib
    Replies:
    1
    Views:
    339

Share This Page