netstat/Question[Bug?]: multicast group membership prints tcp/udp connections as well? (-g46)

[ChriMarMe]

>./netstat -g46
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 burning-barricade:32900 ec2-3-68-18-70.eu:https ESTABLISHED
tcp        0      0 burning-barricade:60010 ec2-3-67-131-16.e:https ESTABLISHED
tcp       25      0 burning-barricade:34626 server-18-66-248-:https CLOSE_WAIT 
tcp        0      0 burning-barricade:51954 93.243.107.34.bc.:https ESTABLISHED
tcp       25      0 burning-barricade:34634 server-18-66-248-:https CLOSE_WAIT 
tcp        0      0 burning-barricade:38354 40.99.204.114:imaps     ESTABLISHED
tcp        0      0 burning-barricade:32912 ec2-3-68-18-70.eu:https ESTABLISHED
tcp        0      0 burning-barricade:53502 ec2-52-3-167-79.c:https ESTABLISHED
tcp        0      0 burning-barricade:32898 ec2-3-68-18-70.eu:https ESTABLISHED
tcp        0      0 burning-barricade:55342 46.101.105.92:https     ESTABLISHED
tcp        0      0 burning-barricade:43164 lb-140-82-112-25-:https ESTABLISHED
tcp        0      0 burning-barricade:41790 cdn-185-199-110-1:https ESTABLISHED
tcp        0      0 burning-barricade:32920 ec2-3-68-18-70.eu:https ESTABLISHED
tcp        0      0 burning-barricade:58844 wa-in-f109.1e100.:imaps ESTABLISHED
udp        0      0 burning-barricad:bootpc _gateway:bootps         ESTABLISHED
IPv6/IPv4 Group Memberships
Interface       RefCnt Group
--------------- ------ ---------------------
lo              1      239.255.255.250
lo              1      mdns.mcast.net
lo              1      all-systems.mcast.net
enp2s0f0        1      all-systems.mcast.net
enp5s0          1      all-systems.mcast.net
enp7s0f3u1u4c2  1      all-systems.mcast.net
wlp3s0          1      239.255.255.250
wlp3s0          1      224.0.0.252
wlp3s0          1      mdns.mcast.net
wlp3s0          1      all-systems.mcast.net
virbr0          1      239.255.255.250
virbr0          1      mdns.mcast.net
virbr0          1      all-systems.mcast.net
virbr0          1      224.0.0.106
docker0         1      239.255.255.250
docker0         1      224.0.0.252
docker0         1      mdns.mcast.net
docker0         1      all-systems.mcast.net
docker0         1      224.0.0.106
veth80b67b4     1      all-systems.mcast.net
lo              1      ff02::fb
lo              1      ff02::1
lo              1      ff01::1
enp2s0f0        1      ff02::1
enp2s0f0        1      ff01::1
enp5s0          1      ff02::1
enp5s0          1      ff01::1

Is that behaviour deliberate or a bug?

[ecki]

Hm not sure if that was intentional, it does look a bit supprising. Since the man page lists it as a extra option and does not mention connections, we can probably change it (especially since there is no negative option to turn it off).

[ecki]

hmm... or maybe it should filter only sockets listening on those groups... havent used much mcast tooling lately.

[ChriMarMe]

I cant tell. My goal is to reimplement netstat in golang and found this weird behavior.
The code was not helpful in showing the intention or if there was any. That's why I ended up asking.

[ecki]

I will change it.

BTW if you reimplement something, I would not go with the /proc interface"ces but use (lib)netlink like ss from the iproute2 is doing, it's not only faster but also more complete information (for example multiple interface ips)

[ChriMarMe]

Thanks for the advice.

Yeah, the data from /proc is a nightmare to parse and process. So many different formats to read from.....

Sadly I already have most functionality done and encountered this issue here, but I certainly will have a look. Maybe it allows more clean and structured code. Thank you.

[ecki]

I checked again and I think the issue is coming from specifying -4 and -6 - those are not documented in the man-page as AF settings für -g:

netstat {--groups|-g} [--numeric|-n] [--numeric-hosts] [--nu‐
meric-ports] [--numeric-users] [--continuous|-c] [delay]

So it basically uses -46 as an indicator to show IP sockets besides the group. If you only use "netstat -g" it works (limited support for address families).

However it could be useful to limit to IPv4 or IPv6 address family?

[ecki]

The patch here needs some more rework for man and translations, but it works now that you can filter like "netstat -g4" or "netstat -g -6" or "netstat -g46" which is the same as "netstat -g". There is also a buffer corruption with netstat "-g46c".

usage: netstat [-vWeenNcCF] [<Af>] -r         netstat {-V|--version|-h|--help}
       netstat [-vWnNcaeol] [<Socket> ...]
       netstat { [-vWeenNac] -i | [-cnNe] -M | [-6tuw] -s | [-cn46] -g }

$ ./netstat -gn4
IPv4 Group Memberships
Interface       RefCnt Group
--------------- ------ ---------------------
lo              1      224.0.0.1
ens5            1      224.0.0.1