3
  • Ubuntu Server 10.04.1 x86
  • Munin 1.4.4

Here is what Munin tells me about connections through firewall on my server:

TIME_WAIT

Here is what netstat -n has to say about this:

$ netstat -an|awk '/tcp/ {print $6}'|sort|uniq -c
      2 CLOSE_WAIT
      1 CLOSING
   3720 ESTABLISHED
     34 FIN_WAIT1
     21 FIN_WAIT2
     13 LAST_ACK
      6 LISTEN
      4 SYN_RECV
    394 TIME_WAIT

According to netstat, 10% of sockets are in TIME_WAIT; 75% or more, according to Munin.

That is strange. Who is right?

More details about configuration etc. here: How to reduce number of sockets in TIME_WAIT?

Improve this question
4
  • Here is what Munin does: munin-monitoring.org/browser/tags/1.4.4/plugins/node.d.linux/… Commented Dec 13, 2010 at 21:43
  • Munin looks at /proc/net/ip_contrack. Indeed, it reports 19K connections in TIME_WAIT out of total 20K. The question is, who to believe? Commented Dec 13, 2010 at 21:47
  • Or am I trying to compare apples with oranges? If so, which Munin graph should I use? Commented Dec 13, 2010 at 21:57
  • Link down............ Commented Jan 23, 2016 at 3:42

1 Answer 1

Reset to default
5

netstat doesn't show connections that are passing through the server as a gateway / firewall.

The munin-plugin parses /proc/net/ip_conntrack, which contains a lot of information not visible in netstat.

The answer; Both are right, but they answer different questions. Netstat talks about connections to and from the server itself. Conntrack provides information about traffic passing the server, so it can make sure to do address translation and so forth correctly.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.