If a host disconnects from the other and you still see its connection as ESTABLISHED
, it's probably related to the fact it's not honoring the TCP
protocol and not closing the connection cleanly.
The netstat
output is an interpreter of the current state of TCP
connections. If a client wants to disconnect/close the socket that has previously been open and established, they should notify this to the remote system. This is done sending the FIN request
to the other node (more info here), in this case, the server.
It they fail to do so, the client indeed disconnects, but the remote server keeps thinking that the client is still connected and thus keeping their state as ESTABLISHED
, and that's where the tcp_keepalive_time
parameter join the equation. As no further packets will be received, the kernel will wait the specified time to this parameter to time-out the connection and forcibly close it.
You can debug this issue using the tcpdump
tool. You could simply listen to the connection from the client host on the server side and check if it fails to send the FIN
request.
tcpdump host X.X.X.X and port Y
Best Answer
There's a tool called
tcpkill
. You can usually get it by installingdsniff
.