Munin's fw_conntrack reports strange number of sockets in TIME_WAIT

Question

Ubuntu Server 10.04.1 x86
Munin 1.4.4

Here is what Munin tells me about connections through firewall on my server:

TIME_WAIT

Here is what netstat -n has to say about this:

$ netstat -an|awk '/tcp/ {print $6}'|sort|uniq -c
      2 CLOSE_WAIT
      1 CLOSING
   3720 ESTABLISHED
     34 FIN_WAIT1
     21 FIN_WAIT2
     13 LAST_ACK
      6 LISTEN
      4 SYN_RECV
    394 TIME_WAIT

According to netstat, 10% of sockets are in TIME_WAIT; 75% or more, according to Munin.

That is strange. Who is right?

More details about configuration etc. here: How to reduce number of sockets in TIME_WAIT?

Here is what Munin does: http://munin-monitoring.org/browser/tags/1.4.4/plugins/node.d.linux/fw_conntrack.in — Alexander Gladysh, Dec 13 '10 at 21:43
Munin looks at `/proc/net/ip_contrack`. Indeed, it reports 19K connections in `TIME_WAIT` out of total 20K. The question is, who to believe? — Alexander Gladysh, Dec 13 '10 at 21:47
Or am I trying to compare apples with oranges? If so, which Munin graph should I use? — Alexander Gladysh, Dec 13 '10 at 21:57

score 5 · Accepted Answer · answered Nov 06 '11 at 00:08

netstat doesn't show connections that are passing through the server as a gateway / firewall.

The munin-plugin parses /proc/net/ip_conntrack, which contains a lot of information not visible in netstat.

The answer; Both are right, but they answer different questions. Netstat talks about connections to and from the server itself. Conntrack provides information about traffic passing the server, so it can make sure to do address translation and so forth correctly.

Munin's fw_conntrack reports strange number of sockets in TIME_WAIT

1 Answers1

Linked