Skip to Content

Exploring Time_Wait status in Linux Netstat command

TIME WAIT state is a normal part of a TCP socket’s life cycle. It cannot and should not be avoided. TIME WAIT sockets may become an issue when there are tens of thousands active at any given time. Otherwise, smaller numbers of TIME WAIT sockets are normal.

TIME_WAIT: The host waits for a reasonable amount of time to ensure the remote host receives the final acknowledgment of a session termination request.

Netstat is a handy command to check the network connections in Linux system. We can use netstat command to check which connection is in the time_wait state.

Today we will dive into this.

  • What is the impact of time_wait Tcp connections?
  • How to reduce the time_wait timer in Linux?
  • Example of time_wait in Linux

What is time_wait state?

Time_wait is a state in the TCP connection process. A socket will be in the TIME-WAIT state after it has received an Fin from the remote side.

 After that point, the socket will automatically close itself. This ensures that old connections are properly shut down and prevents any errors or data corruption during network communication.

  • The TIME WAIT state is part of the TCP protocol connection close, as described in RFC 9293 – Transmission Control Protocol, Section 3.6 Closing a Connection.
  • The TIME WAIT state is entered by the Active Closer (the party who sends the first FIN) after they have received an ACK and a FIN from the Passive Closer, and sent an ACK to the Passive Closer’s last FIN.
  • The RFC defines the time spent in TIME WAIT state as “2 times MSL (Maximum Segment Lifetime)” The Linux kernel’s implementation of TCP is hard-coded however with a TIME WAIT counter of 60 seconds.

 

When all outstanding packets have been successfully delivered, the socket exits Time_Wait state and can be reused.

This prevents connections from being re-opened before all pending packets have been processed by the network.

Concerns about time_wait state

The Time_Wait state is necessary for the proper functioning of TCP and other networking protocols, but can cause some issues for applications that require frequent connection establishment.

For example, a web server might run out of available sockets due to too many connections being in Time_Wait.

To address this issue, some systems use a technique called “Time_Wait recycling” which allows sockets to be reused after a certain amount of time has passed.

This is usually done with an automated process that periodically recycles sockets in Time_Wait state, allowing for more efficient use of available network resources.

Time_wait could happen on the client-side or server-side. It depends on which side terminates the tcp session. From the above chart, A is the active closer and B is the passive closer.

When A closes the connection, it will send a FIN packet to B. After A gets the Ack and FIN back from B, tcp connection will change to time_wait on A-side. Time_wait happens on the active closer side.

What is the impact of time_wait Tcp connections?

Time_wait state is a normal part of a TCP socket’s life cycle. Smaller numbers of TIME WAIT sockets are normal. If there are a lot of time_wait sockets, it will need some time to exit.

If our application needs to create new sockets at this time, it will fail because we don’t have enough ports now.

How to reduce the time_wait timer in Linux?

The RFC defines the time spent in TIME WAIT state as “2 times MSL (Maximum Segment Lifetime)”. But the Linux kernel’s implementation of TCP is hard-coded with a TIME WAIT counter of 60 seconds.

So there is no way to reduce this timer. But in some operating systems, we can reuse these ports by configuring some kernel parameters.

Understanding netstat command

Netstat is a command-line tool used in networking to display network connections and statistics. It can be used to show active network connections, open ports, and other information related to network activity.

The command works on various operating systems including Windows, Linux, and macOS.

Some of the most common uses of netstat include:

  • Displaying all active TCP/IP connections: netstat -a
  • Displaying only listening server sockets: netstat -l
  • Showing the status of all current network interfaces: netstat -i
  • Displaying statistics for each protocol (TCP, UDP): netstat -s

 

The output generated by the netstat command can be quite detailed and may require some interpretation. For example, it shows the local address and port number being used by a program as well as the remote address and port number of the destination it’s communicating with.

Example of time_wait in netstat command

This is a normal tcp connection on our Cassandra server. We can use netstat -anpl to check the connection status in Linux.

tcp 0 115 10.253.113.116:37640 10.241.94.101:7000 ESTABLISHED 31945/java

Now let’s shutdown Cassandra on the server-side, we can see that the TCP connection became Time_wait.

tcp 0 0 10.253.113.116:37640 10.241.94.101:7000 TIME_WAIT -

If we see time_wait connections, that means something wrong with the application. It terminates the connections. We should check what happens from the application side.

We can use this command to check the time_wait timer on Linux.

# ss --numeric -o state time-wait

Conclusion

In general, the Time_Wait state is important for maintaining network reliability, but can be a source of issues if there are too many connections in this state.

To prevent these issues and ensure efficient use of resources, it is best to monitor the number of sockets in Time_Wait and take action when needed.

This could involve using the Time_Wait recycling technique or increasing the number of available sockets in order to reduce the amount of time spent in this state.