Is there a way to use netstat to find processes that are heavily using the default gateway?
You can use netstat and rmsock in combination to help find processes that are actively using the default gateway.
If path MTU discover is not enabled then temporarily enable it so you can get more information when using netstat. These are commands to enable the path MTU discover:
no -o tcp_pmtu_discover=1
no -o udp_pmtu_discover=1
The next step involves running netstat -rn and looking for the highest use count on the cloned route entries (those with a W flag - reference example 1).
$ netstat -rn | grep -E "Use|UGHW"
Destination Gateway Flags Refs Use If PMTU Exp
22.214.171.124 126.96.36.199 UGHW 1 7 en2 - -
188.8.131.52 184.108.40.206 UGHW 2 123 en2 - -
220.127.116.11 18.104.22.168 UGHW 1 5 en2 1500 -
22.214.171.124 126.96.36.199 UGHW 1 3 en2 - -
188.8.131.52 184.108.40.206 UGHW 1 3373 en2 1500 -
In example 1 above, the destination address 220.127.116.11 has the highest use count (3373).
Next, check for any active sockets related to IP address 18.104.22.168 using the netstat -Aan command (see example 2):
$ netstat -Aan | grep 22.214.171.124
705b21e4 tcp4 0 0 126.96.36.199.139 188.8.131.52.1039 ESTABLISHED
Use the process control block address (705b21e4) from the netstat -Aan output in example 2 with the rmsock command to find a process ID associated with the socket.
# rmsock 705b21e4 tcpcb
The socket 0x705b2000 is being held by proccess 9394 (smbd).
With the help of netstat and rmsock in the preceding three examples, you were able to find a specific smbd process that had the most activity relative to sending data over the default gateway.