We only expect to see "unmatched close events" for connections initiated before tcptracer-bpf was started. Currently, we also see them for any TCP connection where tcp_*_connect didn't succeed (for example when connecting to a closed port) as we don't report those events:

https://github.com/weaveworks/tcptracer-bpf/blob/master/tcptracer-bpf.c#L415-L419

To reproduce, run the test tracer (sudo -E ./tests/tracer) and connect to a closed port, e.g. nc -w 1 google.com 56789

xref weaveworks/scope#2135 (comment)