sonewconn log entries

[ohreally]

Hi everyone,

I found some disturbing log entries in /var/log/messages (IP address obscured):

kernel: sonewconn: pcb 0xfffff801b47a4988 (AAA.BBB.CCC.DDD:9001 (proto 6)): Listen queue overflow: 193 already in queue awaiting acceptance (937 occurrences)

There's a lot of info on that message, both on this forum and elsewhere, so I don't really need any help solving this problem.

I just need some help reading that line, because the proto 6 bit suggests (to me) that it's IPv6 traffic, but the IP address is IPv4. Does this mean that it's IPv6 over an IPv4 tunnel? Or is it something else?

Thanks in advance
Rob

 

[ohreally]

On further investigation, I think that proto 6 could mean TCP (wikipedia). Although I don't quite understand why one would write proto 6 instead of TCP...

Please feel free to confirm or correct.

 

[mer]

If you simple redacted the actual numbers, it's IPV4 connection. In that specific context, yes proto 6 would be a TCP connection to AAA.BBB.CCC.DDD, port 9001. The specific message implies to me that that is a server listening on a socket for new connections. Listening sockets typically have a queue that inbound connections start on, they get accepted, then moved off. Basically "the server listening on port 9001 is not processing incoming connections quickly enough and is not accepting anymore"

 

[SirDice]

A process that has a network socket open (like a webserver, or some other network service) has a small queue attached to that socket. Normally a connection is picked up by the process and dealt with. If you get some more connection requests before the process is able to pick them up, those requests are queued. Apparently you have a process that's listening for connections and it's not able to pick up those connection requests fast enough and the queue got so big it started overflowing. That's what the error is telling you.

This can have various reasons why this is happening. Number one reason, the process handling those requests just isn't quick enough. Another reason could be that your service is being DoS'ed. Someone is sending so many connection requests in quick succession that your process just chokes on it.