Use of Recv-Q and Send-Q

What does the Recv-Q values in a Listen socket mean?

Recv-Q is the Receive Queue. It is the number of bytes that are currently in a receive buffer. Upon reading the socket, the bytes are removed from the buffer and put into application memory. If the Recv-Q number gets too high, packets will be dropped because there is no place to put them.

More info here netstat

Why is the Recv-Q value in netstat equal to socket backlog + 1?

A backlog value of N really does mean allow "N + 1" connections
to queue to a listening socket. This allows one to specify
"0" as the backlog and still get 1 connection.

Reference: NET: Revert incorrect accept queue backlog changes. · torvalds/linux@64a1465 · GitHub

How to parse netstat command to get the send-q number from the line

Something like

$ netstat -naputeo 2>/dev/null | awk -v OFS=';' '$1 ~ /^tcp/ && $3 > 4000 { sub(/^.+:/, "", $4); print $3, $4, $9 }'

?

That would output the 3rd column (Send-Q), the port part of the 4th column (Local Address) and the 9th column (PID/Program name) if Send-Q > 4000, separated by semicolons so you can pipe it into your CSV.

E.g. (for Send-Q > 0 on my box)

$ netstat -naputeo 2>/dev/null | awk -v OFS=';' '$1 ~ /^tcp/ && $3 > 0 { sub(/^.+:/, "", $4); print $3, $4, $9 }'
52;22;4363/sshd:

EDIT:

If you really need to further process the values in bash, then you can just print the respective columns via awk and iterate over the lines like this:

#!/bin/bash

while read recv send address pid_program; do
        ip=${address%%:*}
        port=${address##*:}
        pid=${pid_program%%/*}
        program=${pid_program#*/}
        echo "recv=${recv} send=${send} ip=${ip} port=${port} pid=${pid} program=${program}"
        # do stuff here
done < <(netstat -naputeo 2>/dev/null | awk '$1 ~ /^(tcp|udp)/ && ($2 > 4000 || $3 > 4000) { print $2, $3, $4, $9 }')

E.g.:

$ ./t.sh
recv=0 send=52 ip=x.x.x.x port=22 pid=12345 program=sshd:

Note: I don't understand why you need the -o switch to netstat since you don't seem to be interested in the timers output, so you could probably drop that.

---

Related Topics