How to find out which process is listening upon a port

Posted by Steve on Wed 13 Jul 2005 at 02:27

Tags: ,

When we covered port scanning a short while ago we discovered how to tell which ports had processes listening upon them, via port scanning. What we didn't do was learn how to tell which processes were associated with each open port.

Often you'll know which applications are going to be using a particular port, because it's the standard one, or because you know you set it up.

For example when you see something listening upon port 25 you tend to expect it to be a mailserver, and similarly if you find something listening on port 80 you'll not be suprised to discover it's a webserver.

Sometimes though these assumptions can be mistaken, and other times you'll discover an open port which you simply don't recognise. If you're examing a machine you're not sure you trust fully it's worth checking exactly which processes are really running.

As we noted in the the introduction to port scanning with nmap you can lookup which service uses any of the "standard" ports by referring to the file /etc/services.

For example we can open that file in our favourite editor, or pager, and see that port 43/tcp is associated with "whois", and that port 53 is associated with DNS.

These don't help you much if you have a service which has had it's default port changed - something some people suggest you do as a means of increasing security. (Personally I believe such misdirection is misguided at best, and counter-productive at worst).

What you really need to do is to lookup the process which is currently bound to the given network port. Thankfully this is a simple job with use of the lsof package.

If you don't have lsof already you can download and install it by becoming root and running:

root@mystery:~# apt-get install lsof

This will download and install the package for you, along with any dependencies which might be required:

Reading package lists... Done
Building dependency tree... Done
The following NEW packages will be installed:
  lsof
0 upgraded, 1 newly installed, 0 to remove and 16 not upgraded.
Need to get 339kB of archives.
After unpacking 549kB of additional disk space will be used.
Get:1 http://http.us.debian.org unstable/main lsof 4.75.dfsg.1-1 [339kB]
Fetched 339kB in 3s (90.8kB/s)
Selecting previously deselected package lsof.
(Reading database ... 69882 files and directories currently installed.)
Unpacking lsof (from .../lsof_4.75.dfsg.1-1_i386.deb) ...
Setting up lsof (4.75.dfsg.1-1) ...

Once you have the package installed you can now discover precisely which processes are bound upon particular ports.

If you have the Apache webserver running on port 80 that will provide a suitable test candidate. If not you can choose another port you know is in use.

To discover the process name, ID (pid), and other details you need to run:

lsof -i :port

So to see which process is listening upon port 80 we can run:

root@mystery:~# lsof -i :80

This gives us the following output:

COMMAND   PID     USER   FD   TYPE   DEVICE SIZE NODE NAME
apache2 10437     root    3u  IPv6 22890556       TCP *:www (LISTEN)
apache2 10438 www-data    3u  IPv6 22890556       TCP *:www (LISTEN)
apache2 10439 www-data    3u  IPv6 22890556       TCP *:www (LISTEN)
apache2 10440 www-data    3u  IPv6 22890556       TCP *:www (LISTEN)
apache2 10441 www-data    3u  IPv6 22890556       TCP *:www (LISTEN)
apache2 10442 www-data    3u  IPv6 22890556       TCP *:www (LISTEN)
apache2 25966 www-data    3u  IPv6 22890556       TCP *:www (LISTEN)
apache2 25968 www-data    3u  IPv6 22890556       TCP *:www (LISTEN)

Here you can see the command running (apache2), the username it is running as www-data, and some other details.

Similarly we can see which process is bound to port 22:

root@mystery:~# lsof -i :22
COMMAND   PID USER   FD   TYPE   DEVICE SIZE NODE NAME
sshd     8936 root    3u  IPv6 12161280       TCP *:ssh (LISTEN)

To see all the ports open for listening upon the current host you can use another command netstat (contained in the net-tools package):

root@mystery:~# netstat -a |grep LISTEN |grep -v unix
tcp        0      0 *:2049                  *:*                     LISTEN     
tcp        0      0 *:743                   *:*                     LISTEN     
tcp        0      0 localhost.localdo:mysql *:*                     LISTEN     
tcp        0      0 *:5900                  *:*                     LISTEN     
tcp        0      0 localhost.locald:sunrpc *:*                     LISTEN     
tcp        0      0 *:8888                  *:*                     LISTEN     
tcp        0      0 localhost.localdom:smtp *:*                     LISTEN     
tcp6       0      0 *:www                   *:*                     LISTEN     
tcp6       0      0 *:distcc                *:*                     LISTEN     
tcp6       0      0 *:ssh                   *:*                     LISTEN     

Here you can see that there are processes listening upon ports 2049, 743, 5900, and several others.

(The second grep we used above was to ignore Unix domain sockets).

If you're curious to see which programs and services are used in those sockets you can look them up as we've already shown:

root@mystery:~# lsof -i :8888
COMMAND   PID    USER   FD   TYPE   DEVICE SIZE NODE NAME
gnump3d 25834 gnump3d    3u  IPv4 61035200       TCP *:8888 (LISTEN)

This tells us that the process bound to port 8888 is the gnump3d MP3 streamer.

Port 2049 and 743 are both associated with NFS. The rest can be tracked down in a similar manner. (You'll notice that some ports actually have their service names printed next to them, such as the smtp entry for port 25).

lsof is a very powerful tool which can be used for lots of jobs. If you're unfamiliar with it I recommend reading the manpage via:

man lsof

If you do so you'll discover that the -i flag can take multiple different types of arguments, to allow you to check more than one port at a time, and use IPv6 addresses too.

It's often used to see which files are open upon mounted devices, so you can kill the processes and unmount them cleanly.

 

 


Posted by dkg (216.254.xx.xx) on Wed 13 Jul 2005 at 04:09
[ View dkg's Scratchpad | View Weblogs ]
fuser is also a pretty useful tool. it's part of the psmisc package

man fuser

...
EXAMPLES
fuser -km /home kills all processes accessing the file system /home in any way. if fuser -s /dev/ttyS1; then :; else something; fi invokes something if no other process is using /dev/ttyS1. fuser telnet/tcp shows all processes at the (local) TELNET port. ...

[ Parent | Reply to this comment ]

Posted by docelic (85.181.xx.xx) on Fri 15 Jul 2005 at 09:00
Fuser is the tool, yes, but make sure you're running it as root, or it might just produce no output and no error message.

[ Parent | Reply to this comment ]

Posted by davrieb (129.27.xx.xx) on Wed 13 Jul 2005 at 04:37
[ View davrieb's Scratchpad ]
The netstat example doesn't really show the programs usefulness imho. Using
grep LISTEN
seems somewhat wrong to me as it limits the output to sockets using tcp or unix.

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Wed 13 Jul 2005 at 04:40
[ View Steve's Scratchpad | View Weblogs ]

Sure I'm glossing over netstat a lot here, because that's not the focus.

But limiting the output to only TCP sockets is definitely deliberate in this context. The only thing I was trying to do was create a list of sockets which are open for listening which weren't Unix domain sockets which I didn't want to discuss to avoid confusion with "real" sockets.

Steve
-- Steve.org.uk

[ Parent | Reply to this comment ]

Posted by wouter (195.162.xx.xx) on Sun 17 Jul 2005 at 08:08

'netstat -nat' just shows tcp connections.

(well, the -n is just out of habit)

[ Parent | Reply to this comment ]

Posted by davrieb (129.27.xx.xx) on Wed 13 Jul 2005 at 04:51
[ View davrieb's Scratchpad ]
Uh..clicked on posting to early still have something to say. As similar example
netstat --tcp --udp --listening --program
or
netstat -tupl
for short, would be better. This also shows you udp sockets and the name of the program listening. And I have to add that this was a very nice article as itintroduced two very useful tools.

[ Parent | Reply to this comment ]

Posted by gna (212.40.xx.xx) on Wed 13 Jul 2005 at 06:28
[ View Weblogs ]
I use netstat -anp | grep LISTEN for checking the listening ports, sockets. But your -tupl maybe extended with n (numeric) is a good idea.

[ Parent | Reply to this comment ]

Posted by Anonymous (63.87.xx.xx) on Thu 18 Jan 2007 at 06:46
Suppose I know a port number. I want to know the PID of the process which is using that port.
And I can't install lsof here in this machine.
Is there any other way?

[ Parent | Reply to this comment ]

Posted by ravisankarvn (66.193.xx.xx) on Tue 27 Jan 2009 at 12:19
We can get the PID of the process listening on a known port from the following

fuser -n | grep | awk '{print $2}'

Further if we need to know the process name from this PID

ps -e | grep | awk '{print $4}'

[ Parent | Reply to this comment ]

Posted by ravisankarvn (66.193.xx.xx) on Tue 27 Jan 2009 at 12:25
The above two commands are to be noted as
fuser -n [tcp | udp] [portno.] | grep [tcp | udp] | awk '{print $2}'
and
ps -e | grep [pid] | awk '{print $4}'

[ Parent | Reply to this comment ]

Posted by sbp (193.136.xx.xx) on Thu 14 Jul 2005 at 00:24
Sometimes I use this comand line to see opened ports and program name running on that port.

#!/bin/sh
/bin/netstat -nlatp | grep tcp | grep LIST | awk '{print $4,$7}' | awk -F: '{print $2}' | awk -F/ '{print $1,$2}' | awk '{print $1,$3}' | sort -nu

I know a perl or awk guru can simplify that, but it works :)

[ Parent | Reply to this comment ]

Posted by Piem (138.37.xx.xx) on Thu 14 Jul 2005 at 13:37
[ View Piem's Scratchpad ]
i'm also happy with netstat and never felt the need for something else.

just a note to add that the -u flag should also be used to know about udp connections. i usually use:

netstat -taulp

unless dns resolution is broken, in which case the -n (numeric) can be added.

[ Parent | Reply to this comment ]

Posted by Anonymous (81.152.xx.xx) on Mon 18 Jul 2005 at 06:57
I find it easyer to do

netstat -tupln as root.

then ps aux | grep process
process to find out who is using that process.

(root@oldbox) (/home/test/public_html/mysqltests)-(07:51:37) # netstat -tupln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 22317/inetd
tcp 0 0 0.0.0.0:6020 0.0.0.0:* LISTEN 21640/eggdrop
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 7789/mysqld
tcp 0 0 0.0.0.0:19150 0.0.0.0:* LISTEN 10544/gkrellmd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6004/apache
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 17338/pure-ftpd (SE
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 13041/exim4
tcp 0 0 0.0.0.0:666 0.0.0.0:* LISTEN 19641/darkstat
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 13092/apache-ssl
tcp6 0 0 :::19150 :::* LISTEN 10544/gkrellmd
tcp6 0 0 :::21 :::* LISTEN 17338/pure-ftpd (SE
tcp6 0 0 :::22 :::* LISTEN 7547/sshd
udp 0 0 0.0.0.0:2448 0.0.0.0:* 21640/eggdrop
udp 0 0 0.0.0.0:3238 0.0.0.0:* 21640/eggdrop


this is one of the first things i do when i get a fresh debian install. once i figure out what servers are running i dont like i kill them off and then use rcconf to stop them running at boot up.


[ Parent | Reply to this comment ]

Posted by Anonymous (84.77.xx.xx) on Sat 19 Jan 2013 at 19:21
a instead l

netstat -tupln -> it's good, but only to show the listening apps ports

with -tupan -> you see all of them, listening, established, etc... ;)

[ Parent | Reply to this comment ]

Posted by linuxrc (216.209.xx.xx) on Mon 18 Jul 2005 at 15:36
Good article.

As mentioned below some useful tools have been brought out of this article. I'm more prone to use lsof to find which processes listening on a socket. Both netstat and lsof are useful tools.


RC

[ Parent | Reply to this comment ]

Posted by Anonymous (194.149.xx.xx) on Wed 1 Mar 2006 at 15:02
Two most common from ip world. sudo netstat -nlp; rpcinfo -p host

[ Parent | Reply to this comment ]

Posted by Anonymous (203.91.xx.xx) on Thu 30 Oct 2008 at 08:07
Can you suggest how to find which process is listening on what port in windows ? Netstat does not display the process name

[ Parent | Reply to this comment ]

Posted by Anonymous (190.51.xx.xx) on Sun 21 Mar 2010 at 08:04
See http://blogs.techrepublic.com.com/datacenter/?p=453
You can combine the netstat and tasklist commands to determine what process is using a port on the Windows Server.

[ Parent | Reply to this comment ]

Posted by Anonymous (159.53.xx.xx) on Tue 10 May 2011 at 16:00
Nice! helped me to find what I need. Thanks..

[ Parent | Reply to this comment ]

Posted by Anonymous (121.246.xx.xx) on Fri 28 Sep 2012 at 10:34
Thanks, it helped....

[ Parent | Reply to this comment ]

Posted by Tuipveus (194.252.xx.xx) on Tue 30 Jul 2013 at 07:19
My favourite for finding out ports of specific command is
"netstat -plan | grep $(pgrep process_name)" where obviously process_name is the name of the process which you want to monitor.

This is useful if you know the process_name or parameter, but don't know the portnumber. This is also useful if you call some python program for example and processname is always python but your program is instead parameter for python and your python program is the thing you want to grep for.

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 523 votes ~ 7 comments )

 

 

Related Links