Is there a way to use netstat to find processes that are heavily using the default gateway?
You can use netstat and rmsock in combination to help find processes that are actively using the default gateway.
If path MTU discover is not enabled then temporarily enable it so you can get more information when using netstat. These are commands to enable the path MTU discover:
no -o tcp_pmtu_discover=1
no -o udp_pmtu_discover=1
The next step involves running netstat -rn and looking for the highest use count on the cloned route entries (those with a W flag - reference example 1).
$ netstat -rn | grep -E "Use|UGHW"
Destination Gateway Flags Refs Use If PMTU Exp
126.96.36.199 188.8.131.52 UGHW 1 7 en2 - -
184.108.40.206 220.127.116.11 UGHW 2 123 en2 - -
18.104.22.168 22.214.171.124 UGHW 1 5 en2 1500 -
126.96.36.199 188.8.131.52 UGHW 1 3 en2 - -
184.108.40.206 220.127.116.11 UGHW 1 3373 en2 1500 -
In example 1 above, the destination address 18.104.22.168 has the highest use count (3373).
Next, check for any active sockets related to IP address 22.214.171.124 using the netstat -Aan command (see example 2):
$ netstat -Aan | grep 126.96.36.199
705b21e4 tcp4 0 0 188.8.131.52.139 184.108.40.206.1039 ESTABLISHED
Use the process control block address (705b21e4) from the netstat -Aan output in example 2 with the rmsock command to find a process ID associated with the socket.
# rmsock 705b21e4 tcpcb
The socket 0x705b2000 is being held by proccess 9394 (smbd).
With the help of netstat and rmsock in the preceding three examples, you were able to find a specific smbd process that had the most activity relative to sending data over the default gateway.