Your Ad Here

IBM AIX/UNIX system storage administration ksh/perl scripting

Friday, March 20, 2009

Using netstat and rmsock to Identify Processes Using the Default Gateway

Question

Is there a way to use netstat to find processes that are heavily using the default gateway?

Answer

You can use netstat and rmsock in combination to help find processes that are actively using the default gateway.

If path MTU discover is not enabled then temporarily enable it so you can get more information when using netstat. These are commands to enable the path MTU discover:

no -o tcp_pmtu_discover=1
no -o udp_pmtu_discover=1

The next step involves running netstat -rn and looking for the highest use count on the cloned route entries (those with a W flag - reference example 1).

Example 1

$ netstat -rn | grep -E "Use|UGHW"
Destination Gateway Flags Refs Use If PMTU Exp
Groups
9.0.7.1 9.41.166.1 UGHW 1 7 en2 - -
9.12.136.110 9.41.166.1 UGHW 2 123 en2 - -
9.17.183.166 9.41.166.1 UGHW 1 5 en2 1500 -
9.41.167.106 9.41.166.1 UGHW 1 3 en2 - -
9.41.167.182 9.41.166.1 UGHW 1 3373 en2 1500 -

In example 1 above, the destination address 9.41.167.182 has the highest use count (3373).

Next, check for any active sockets related to IP address 9.41.167.182 using the netstat -Aan command (see example 2):

Example 2

$ netstat -Aan | grep 9.41.167.182
705b21e4 tcp4 0 0 9.41.166.74.139 9.41.167.182.1039 ESTABLISHED

Use the process control block address (705b21e4) from the netstat -Aan output in example 2 with the rmsock command to find a process ID associated with the socket.

Example 3

# rmsock 705b21e4 tcpcb
The socket 0x705b2000 is being held by proccess 9394 (smbd).

With the help of netstat and rmsock in the preceding three examples, you were able to find a specific smbd process that had the most activity relative to sending data over the default gateway.

1 comment:

Juan Alvarez said...

netstat -Aan | grep LISTEN | awk '{print "echo puerto:"$5";rmsock "$1" tcpcb"}' | ksh

Labels

Blog Archive

BlogCatalog