On 6/16/07, frantisek holop <[EMAIL PROTECTED]> wrote:
amaaq> netstat -naf inet Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) ip 0 0 *.* *.* 17
...
i really can't wrap my head around the first line. what is state 17? proto ip?
...
how can i track down what this is?
Well, you can track down what the '17' is by reading the netstat source to see where it gets that value. Turns out to be from the ip_p member of the ip part of the PCB, which holds the protocol number. The name<-->number mapping for protocol values is found in /etc/protocols, where you'll see that 17 is the protocol number for UDP. Okay, but that doesn't explain why the kernel would have such an entry. AFAICT, the entries in the proto ip section show sockets created with socket(AF_INET, SOCK_RAW, real_proto) I.e., a socket which the application can use to send arbitrary IP packets with the indicated protocol field. In this case, lets a program send arbitrary UDP packets. (It can't be used to receive them because SOCK_RAW sockets are never passed UDP (or TCP) packets.) A little rumination about which programs might want to do that suggests dhclient as the culprit, as normal UDP processing can't be used to send DHCP requests for interfaces that don't have an address already assigned. Sure enough, kill dhclient and that netstat entry vanishes. Restart it and the entry reappears. Philip Guenther
