Exploring TCP Connection Time_Wait in Linux Netstat
Updated: Jul 29
TIME_WAIT is a socket state during TCP connection termination. It represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request.
Netstat is a handy command to check the network connections in Linux system. We can use netstat command to check which connection is in the time_wait state.
Today we will dive into time_wait in Linux.
When and where time_wait happens?
Time_wait could happen on the client-side or server-side. It depends on which side terminates the tcp session. From the above chart, A is the active closer and B is the passive closer.
When A closes the connection, it will send a FIN packet to B. After A gets the Ack and FIN back from B, tcp connection will change to time_wait on A-side. Time_wait happens on the active closer side.
What is the impact of time_wait Tcp connections?
Time_wait state is a normal part of a TCP socket's life cycle. Smaller numbers of TIME WAIT sockets are normal. If there are a lot of time_wait sockets, it will need some time to exit.
If our application needs to create new sockets at this time, it will fail because we don't have enough ports now.
How to reduce the time_wait timer in Linux?
The RFC defines the time spent in TIME WAIT state as "2 times MSL (Maximum Segment Lifetime)". But the Linux kernel's implementation of TCP is hard-coded with a TIME WAIT counter of 60 seconds.
So there is no way to reduce this timer. But in some operating systems, we can reuse these ports by configuring some kernel parameters.
Example of time_wait in netstat command
This is a normal tcp connection on our Cassandra server. We can use netstat -anpl to check the connection status in Linux.
tcp 0 115 10.253.113.116:37640 10.241.94.101:7000 ESTABLISHED 31945/java
Now let's shutdown Cassandra on the server-side, we can see that the TCP connection became Time_wait.
tcp 0 0 10.253.113.116:37640 10.241.94.101:7000 TIME_WAIT -
If we see time_wait connections, that means something wrong with the application. It terminates the connections. We should check what happens from the application side.
We can use this command to check the time_wait timer on Linux.
# ss --numeric -o state time-wait