Linux netstat--timers/o detailed and keepalive related

In Linux to view the number of network connections or network status, I generally use netstat or lsof these two, netstat words have a time clock function, which involves a lot of knowledge of TCP/IP protocol, today to say I understand the netstat timing function.

Netstat-altpno or NETSTAT-ALTPN--timers, look at the results:

Proto recv-q send-q Local address Foreign address State Pid/program name Timer

You can see the caption displayed, and a timer column, which represents the timekeeping function.

Timerkeepalive (576.47/0/0) < first column > < second column >

The data inside is divided into two columns.

The specific parameters and meanings of these two columns are described in detail below:

The first column, generally have a few States;

keepalive-#表示是keepalive的时间计时

Timing of on-#表示是重发 (retransmission)

off-#表示没有时间计时

timewait-#表示等待 (timewait) Time Timings

Second column,

(576.47/0/0) (A/B/C)

A-#计时时间值 (when the first column is KeepAlive, a represents the keepalive time; When the first column is on, a represents the time of the re-send (retransmission); When the first column is timewait, A represents the time of the Wait (timewait) to be timed)

B-#已经产生的重发 (retransmission) times

Number of C-#keepalive已经发送的探测 (probe) packets

Note:

1, the maximum time value of keepalive is related to the value of Tcp_keepalive_time, the value of Tcp_keepalive_time, the Linux default is 7,200 seconds, that is 2 hours, the meaning is: After establishing a connection, If there is no data interaction transfer within 7,200 seconds, the server sends a probe (probe) packet. The detection (probe) packet here is also equivalent to a heartbeat.

2, the detection (probe) packet of the relevant kernel parameters with TCP_KEEPALIVE_INTVL and tcp_keepalive_probes have a relationship, Tcp_keepalive_probes represents a total number of probe (probe) packets (the default is 9) , the TCP_KEEPALIVE_INTVL representative sends a probe (probe) packet, how many seconds did not receive the reply, then sends a probe (probe) packet, also represents the previously sent probe (probe) packet timeout failure (default is 75 seconds). After all the probes (probe) packets have been sent out or received no response, then the server will actively port this connection (long connection). So generally if the second column of C is 0, the range of A is between 0 ~ 7200, and 7200 is the value of tcp_keepalive_time, such as KeepAlive (178.06/0/0), if C is not 0, but not greater than tcp_keepalive_ The value of probes, then the range of a is 0 to 75, and 75 is the value of TCP_KEEPALIVE_INTVL. such as KeepAlive (18.06/0/2).

3, here again how KeepAlive works

If there is no activity within 7,200 seconds on a given connection, the server sends a probe segment to the client. (We'll see what the detection section looks like in the following example.) The client host must be one of the following four states:

1) The client host is still active (up) and reachable from the server. From the client TCP's normal response, the server knows that the other side is still active. The server's TCP resets the surviving timer for the next two hours, and if the application's communication occurs on the connection before the two-hour expiration, the timer resets back to the two-hour downward, and then the data is exchanged.

2) The client has crashed, or has been shut down, or is in the process of restarting. In both cases, it does not respond to TCP. The server did not receive a response to its probe and timed out after 75 seconds. The server will send a total of 10 such probes, each probing 75 seconds. If you do not receive a response, it is assumed that the client host has shut down and terminated the connection.

3) The client has crashed but has restarted. In this case, the server will receive a response to its surviving probe, but the response is a reset, causing the server to terminate the connection.

4) The client host is actively running, but unreachable from the server. This is similar to state 2 because TCP cannot differentiate between two of them. What it can show is that it is not receiving a reply to its probe.

4, Wait (timewait) time, the second column of a value, the maximum is 60, here to say why 60, there is a MSL (Maximum Segment Lifetime) concept, TCP If in time_wait state, Will maintain twice times the MSL time value, and then the connection will be disconnected, of course, there is time_wait this state, then it must be active to close the TCP connection that side, this if the understanding of the TCP four-time handshake concept to know why. RFC793 defines the MSL as 2 minutes and Linux is set to 30s, so the time_wait value on the Linux system is 60s maximum. So when the first column is timewait, the second is only a value, B and C are 0, for example

Timewait (48.32/0/0).

5, if the state is listed as Close_wait status, the Timer column is more off (0.00/0/0), this is why, because the close_wait is the passive close that side, this is not timeout (timeout) set, so it does not have time. Close_wait unless you kill the process, close_wait will not disappear automatically. A close_wait will last for at least 2 hours. Of course not disappear means to occupy the resources, here is to occupy FD. For example: On (2.28/5/2)

This article from "Zheng Xiaoming Technology Blog" blog, declined reprint!

Linux netstat--timers/o detailed and keepalive related