Professional Documents
Culture Documents
ow do I find out running processes were associated with each open port? How do I find
out what process has open tcp port 111 or udp port 7000 under Linux?
You can the following programs to find out about port numbers and its associated process:
1. netstat - a command-line tool that displays network connections, routing tables, and a
number of network interface statistics.
2. fuser - a command line tool to identify processes using files or sockets.
3. lsof - a command line tool to list open files under Linux / UNIX to report a list of all
open files and the processes that opened them.
4. /proc/$pid/ file system - Under Linux /proc includes a directory for each running process (including kernel
processes) at /proc/PID, containing information about that process, notably including the processes name that
opened port.
[1]
netstat example
Type the following command:
# netstat -tulpn
Sample outputs:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address
name
tcp
0
0 127.0.0.1:3306
tcp
0
0 0.0.0.0:111
tcp
0
0 0.0.0.0:80
tcp
0
0 0.0.0.0:55091
tcp
0
0 192.168.122.1:53
tcp
0
0 0.0.0.0:22
tcp
0
0 127.0.0.1:631
tcp
0
0 0.0.0.0:7000
3813/transmission
tcp6
0
0 :::22
tcp6
0
0 ::1:631
tcp6
0
0 :::7000
3813/transmission
udp
0
0 0.0.0.0:111
udp
0
0 0.0.0.0:662
udp
0
0 192.168.122.1:53
udp
0
0 0.0.0.0:67
udp
0
0 0.0.0.0:68
udp
0
0 0.0.0.0:7000
3813/transmission
udp
0
0 0.0.0.0:54746
Foreign Address
State
PID/Program
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
1138/mysqld
850/portmap
1607/apache2
910/rpc.statd
1467/dnsmasq
992/sshd
1565/cupsd
:::*
:::*
:::*
LISTEN
LISTEN
LISTEN
992/sshd
1565/cupsd
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
850/portmap
910/rpc.statd
1467/dnsmasq
1467/dnsmasq
3697/dhclient
0.0.0.0:*
910/rpc.statd
TCP port 3306 was opened by mysqld process having PID # 1138. You can verify this using /proc, enter:
# ls -l /proc/1138/exe
Sample outputs:
nixCraft is GIT UL++++ W+++ C++++ M+ e+++ d-
Page 1 of 5
0 0.0.0.0:80
0.0.0.0:*
LISTEN
1607/apache2
Video demo
fuser command
Find out the processes PID that opened tcp port 7000, enter:
# fuser 7000/tcp
Sample outputs:
7000/tcp:
3813
Finally, find out process name associated with PID # 3813, enter:
# ls -l /proc/3813/exe
Sample outputs:
lrwxrwxrwx 1 vivek vivek 0 2010-10-29 11:00 /proc/3813/exe -> /usr/bin/transmission
/usr/bin/transmission is a bittorrent client, enter:
# man transmission
OR
# whatis transmission
Sample outputs:
nixCraft is GIT UL++++ W+++ C++++ M+ e+++ d-
Page 2 of 5
transmission (1)
- a bittorrent client
3813
1.9
Sl
10:58
2:27 transmission
vivek
transmission
Page 3 of 5
[4]
-i
-i
-i
-i
-i
:portNumber
tcp:portNumber
udp:portNumber
:80
:80 | grep LISTEN
Sample outputs:
apache2
apache2
apache2
apache2
apache2
apache2
1607
1616
1617
1618
1619
1620
root
www-data
www-data
www-data
www-data
www-data
3u
3u
3u
3u
3u
3u
IPv4
IPv4
IPv4
IPv4
IPv4
IPv4
6472
6472
6472
6472
6472
6472
0t0
0t0
0t0
0t0
0t0
0t0
TCP
TCP
TCP
TCP
TCP
TCP
*:www
*:www
*:www
*:www
*:www
*:www
(LISTEN)
(LISTEN)
(LISTEN)
(LISTEN)
(LISTEN)
(LISTEN)
Now, you get more information about pid # 1607 or 1616 and so on:
# ps aux | grep '[1]616'
Sample outputs:
www-data 1616 0.0 0.0 35816 3880 ? S 10:20 0:00 /usr/sbin/apache2 -k start
I recommend the following command to grab info about pid # 1616:
# ps -eo pid,user,group,args,etime,lstart | grep '[1]616'
Sample outputs:
1616 www-data www-data /usr/sbin/apache2 -k start
Where,
1616 : PID
www-date : User name (owner - EUID)
www-date : Group name (group - EGID)
nixCraft is GIT UL++++ W+++ C++++ M+ e+++ d-
Page 4 of 5
443/tcp
443/udp
man
man
man
man
man
ps
grep
lsof
netstat
fuser
Page 5 of 5