Search code examples
tcplinux-kerneliptcpdumpnetstat

what is tcp socket timers unkn-4 as shown by netstat

[root@:/]# netstat -eont
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address  Foreign Address   State  User   Timer
tcp   0   0  10.99.92.201:2000  10.99.92.82:63407  ESTABLISHED 0
        keepalive (2.28/0/0)
tcp   0  29200 10.99.92.201:2004 10.99.92.82:63408 ESTABLISHED 0   
        unkn-4 (50.92/0/0)

[root@:/]# netstat -eont
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address  State  User  Inode   Timer
tcp   0   0  10.99.92.201:2000  10.99.92.82:63407  ESTABLISHED 0  385  
          keepalive (0.35/0/0)
tcp   0  29201 10.99.92.201:2004 10.99.92.82:63408 FIN_WAIT1   0  0    
         unkn-4 (33.99/0/0)


[root@:/]# netstat -es
Ip:
    195 total packets received
    0 forwarded
    0 incoming packets discarded
    194 incoming packets delivered
    260 requests sent out
Icmp:
    0 ICMP messages received
    0 input ICMP message failed.
    ICMP input histogram:
    0 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
Tcp:
    0 active connections openings
    2 passive connection openings
    0 failed connection attempts
    0 connection resets received
    1 connections established
    131 segments received
    255 segments send out
    1 segments retransmited
    0 bad segments received.
    0 resets sent
Udp:
    10 packets received
    0 packets to unknown port received.
    0 packet receive errors
    4 packets sent
    RcvbufErrors: 0
    SndbufErrors: 0

[root@:/]#

I have an Linux (2.6.33) application running on ARM embedded system. The TCP socket is showing the with "netstat" are pasted above.

What is the meaning of unkn-4 state for timer( in this state the Send-Q is showing 29200 and socket is ESTABLISHED. But after some time socket goes to FIN WAIT 1 state but and Send-Q is increased by 1 packet. I expect that this packet is sent with RST flag.

But i didn't see this RST captured with tcpdump which is running in background.

Please help me to find out what is happening here which puts socket from ESTABLISh state to FIN wait 1 state. I guess the RST is sent out from application but it is not sent out on ethernet interface and lying in the tcp OUT Send-Q buffer. So i was not able to capture. Is this correct & how to verify this?

Followed the reference but still didn't get the answer.

http://vzkernel.blogspot.in/
Solution

  • it's a zero window probe timer

    Source: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=96282

    This can happen if the other side doesn't receive your SYN packet, or your side didn't receive their ACK packet.

    In general terms, this is usually a symptom of packet loss.