Skip to main content
Welcome guest. | Register | Login | Post

The Problem with Netstat

No replies
supermike's picture
Offline
Joined: 2006-02-17

I was having trouble working with chkrootkit. You download this file, expand and compile it, and then run a Bash script. It checks your system for known rootkits. Worked great on Ubuntu, but then it failed on RH9. When I dug where it was failing, it turns out that it was the netstat command. You see, on my Ubuntu system, the netstat command runs and then stops. But on my RH9 system, the netstat command runs and runs and runs and runs -- it never stops. In fact, it complains about "bogus tcp line" periodically in the output. As well, the output begins to repeat itself. I checked to see if I had an alias on the netstat command and it appeared I did not. Therefore, I uninstalled and reinstalled the netstat command, and that failed. So then I went and found net-tools on the Internet and recompiled it, and it still failed. So then I got into the netstat.c code, found the if/then condition that causes the "bogus tcp line" entry, and the return statement that followed it, and I commented both out with /* code */. However, even that did not help and the netstat runs continuously.

...then I bounced with ifdown/ifup.

...then I bounced with /etc/init.d/network restart.

...then I bounced the web server.

...then I bounced the sshd.

...then I bounceed the xinetd.

I tried all that so that I wouldn't have to reboot this system and blow my uptime bragging rights.

Turns out, none of this helped. In fact, there's a KB doc at RH that claims the "bogus tcp line" is a RH anomaly that they *STILL* haven't fixed. In fact, they took the Microsoft approach and tried to not call it a bug. Microsoft = RH?

Moreover, I found out that the netstat command merely does the equivalent of a kind of grep and awk on data stored in /proc/net. So therefore, the kernel is the fault of this problem to some degree. It's actually a combination of the kernel and the net-tools package (the package that contains netstat). If the kernel didn't throw up the bug in the stats, then the netstat command would function properly. If the netstat command had better error handling, then it would process the data and error out without going in a continuous loop.

Unless you can recommend something else, I'm going to have to reboot this RH9 box, blowing all my linux uptime bragging rights.