Is there a way to use netstat to find processes that are heavily using the default gateway?
You can use netstat and rmsock in combination to help find processes that are actively using the default gateway.
If path MTU discover is not enabled then temporarily enable it so you can get more information when using netstat. These are commands to enable the path MTU discover:
no -o tcp_pmtu_discover=1
no -o udp_pmtu_discover=1
The next step involves running netstat -rn and looking for the highest use count on the cloned route entries (those with a W flag - reference example 1).
$ netstat -rn | grep -E "Use|UGHW"
Destination Gateway Flags Refs Use If PMTU Exp
18.104.22.168 22.214.171.124 UGHW 1 7 en2 - -
126.96.36.199 188.8.131.52 UGHW 2 123 en2 - -
184.108.40.206 220.127.116.11 UGHW 1 5 en2 1500 -
18.104.22.168 22.214.171.124 UGHW 1 3 en2 - -
126.96.36.199 188.8.131.52 UGHW 1 3373 en2 1500 -
In example 1 above, the destination address 184.108.40.206 has the highest use count (3373).
Next, check for any active sockets related to IP address 220.127.116.11 using the netstat -Aan command (see example 2):
$ netstat -Aan | grep 18.104.22.168
705b21e4 tcp4 0 0 22.214.171.124.139 126.96.36.199.1039 ESTABLISHED
Use the process control block address (705b21e4) from the netstat -Aan output in example 2 with the rmsock command to find a process ID associated with the socket.
# rmsock 705b21e4 tcpcb
The socket 0x705b2000 is being held by proccess 9394 (smbd).
With the help of netstat and rmsock in the preceding three examples, you were able to find a specific smbd process that had the most activity relative to sending data over the default gateway.