When capturing multiple snapshots of netstat -pant information, I noticed what appears to be the same tcp socket being used by two different processes. In example 2, I could perhps see the port 34403 switching to PID 11139, however, I find it more unlikely that the original PID 13330 to reuse the same port so quickly.

Am I mis-interpreting the results?

Thanks in advance,

Mike


***

Example 1: Same socket listed twice in one snapshot (Two distinct processes with no relation to each other, other than they both talk to ldap):

tcp 0 0 10.x.x.x:33368 10.y.y.y:389 ESTABLISHED 13330/7
tcp 0 0 10.x.x.x:33368 10.y.y.y:389 ESTABLISHED 4923/java

***

Example 2: Same socket used in multiple snapshots taken within a minute:

Snapshot-1:
tcp 0 0 10.x.x.x:34403 10.y.y.y:389 ESTABLISHED 13330/7

Snapshot-2:
tcp 0 0 10.x.x.x:34403 10.y.y.y:389 ESTABLISHED 13330/7

Snapshot-3:
tcp 0 0 10.x.x.x:34403 10.y.y.y:389 ESTABLISHED 11139/6

Snapshot-4:
tcp 0 0 10.x.x.x:34403 10.y.y.y:389 ESTABLISHED 13330/7

Snapshot-5:
tcp 0 0 10.x.x.x:34403 10.y.y.y:389 ESTABLISHED 13330/7

***

1)The number listed in netstat is the port number, not a socket. A socket is more than a just port.
2)It is possible that a port can be used by multi processes.

I understand netstat shows port information. A socket is a host/port pair. I also understand the same port may be reused by multiple processes over time.

What I do not understand is how does the same local ip.port talking to the same destination ip.port can be used by multiple processes in such a short time - by short time meaning less than the TIME_WAIT state.

I don't believe the socket is getting closed and I am not used to seeing multiple processes using the same socket... appears something is masquerading them (or an OS level type of pooling) and curious as to how the OS or whatever is handling this brokers/returns packets to the appropriate processes (many more question if this is the case).