Is there a way to use netstat to find processes that are heavily using the default gateway?
You can use netstat and rmsock in combination to help find processes that are actively using the default gateway.
If path MTU discover is not enabled then temporarily enable it so you can get more information when using netstat. These are commands to enable the path MTU discover:
no -o tcp_pmtu_discover=1
no -o udp_pmtu_discover=1
The next step involves running netstat -rn and looking for the highest use count on the cloned route entries (those with a W flag - reference example 1).
$ netstat -rn | grep -E "Use|UGHW"
Destination Gateway Flags Refs Use If PMTU Exp
188.8.131.52 184.108.40.206 UGHW 1 7 en2 - -
220.127.116.11 18.104.22.168 UGHW 2 123 en2 - -
22.214.171.124 126.96.36.199 UGHW 1 5 en2 1500 -
188.8.131.52 184.108.40.206 UGHW 1 3 en2 - -
220.127.116.11 18.104.22.168 UGHW 1 3373 en2 1500 -
In example 1 above, the destination address 22.214.171.124 has the highest use count (3373).
Next, check for any active sockets related to IP address 126.96.36.199 using the netstat -Aan command (see example 2):
$ netstat -Aan | grep 188.8.131.52
705b21e4 tcp4 0 0 184.108.40.206.139 220.127.116.11.1039 ESTABLISHED
Use the process control block address (705b21e4) from the netstat -Aan output in example 2 with the rmsock command to find a process ID associated with the socket.
# rmsock 705b21e4 tcpcb
The socket 0x705b2000 is being held by proccess 9394 (smbd).
With the help of netstat and rmsock in the preceding three examples, you were able to find a specific smbd process that had the most activity relative to sending data over the default gateway.