How do I find out running processes were associated with each open port? How do I find out what process has open tcp port 111 or udp port 7000 under Linux?
You can the following programs to find out about port numbers and its associated process:
- netstat – a command-line tool that displays network connections, routing tables, and a number of network interface statistics.
- fuser – a command line tool to identify processes using files or sockets.
- lsof – a command line tool to list open files under Linux / UNIX to report a list of all open files and the processes that opened them.
- /proc/$pid/ file system – Under Linux /proc includes a directory for each running process (including kernel processes) at /proc/PID, containing information about that process, notably including the processes name that opened port.
You must run above command(s) as the root user.
netstat example
Type the following command:
# netstat -tulpn
Sample outputs:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1138/mysqld tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 850/portmap tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1607/apache2 tcp 0 0 0.0.0.0:55091 0.0.0.0:* LISTEN 910/rpc.statd tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1467/dnsmasq tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 992/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1565/cupsd tcp 0 0 0.0.0.0:7000 0.0.0.0:* LISTEN 3813/transmission tcp6 0 0 :::22 :::* LISTEN 992/sshd tcp6 0 0 ::1:631 :::* LISTEN 1565/cupsd tcp6 0 0 :::7000 :::* LISTEN 3813/transmission udp 0 0 0.0.0.0:111 0.0.0.0:* 850/portmap udp 0 0 0.0.0.0:662 0.0.0.0:* 910/rpc.statd udp 0 0 192.168.122.1:53 0.0.0.0:* 1467/dnsmasq udp 0 0 0.0.0.0:67 0.0.0.0:* 1467/dnsmasq udp 0 0 0.0.0.0:68 0.0.0.0:* 3697/dhclient udp 0 0 0.0.0.0:7000 0.0.0.0:* 3813/transmission udp 0 0 0.0.0.0:54746 0.0.0.0:* 910/rpc.statd
TCP port 3306 was opened by mysqld process having PID # 1138. You can verify this using /proc, enter:
# ls -l /proc/1138/exe
Sample outputs:
lrwxrwxrwx 1 root root 0 2010-10-29 10:20 /proc/1138/exe -> /usr/sbin/mysqld
You can use grep command to filter out information:
# netstat -tulpn | grep :80
Sample outputs:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1607/apache2
Video demo
fuser command
Find out the processes PID that opened tcp port 7000, enter:
# fuser 7000/tcp
Sample outputs:
7000/tcp: 3813
Finally, find out process name associated with PID # 3813, enter:
# ls -l /proc/3813/exe
Sample outputs:
lrwxrwxrwx 1 vivek vivek 0 2010-10-29 11:00 /proc/3813/exe -> /usr/bin/transmission
/usr/bin/transmission is a bittorrent client, enter:
# man transmission
OR
# whatis transmission
Sample outputs:
transmission (1) - a bittorrent client
Task: Find Out Current Working Directory Of a Process
To find out current working directory of a process called bittorrent or pid 3813, enter:
# ls -l /proc/3813/cwd
Sample outputs:
lrwxrwxrwx 1 vivek vivek 0 2010-10-29 12:04 /proc/3813/cwd -> /home/vivek
OR use pwdx command, enter:
# pwdx 3813
Sample outputs:
3813: /home/vivek
Task: Find Out Owner Of a Process
Use the following command to find out the owner of a process PID called 3813:
# ps aux | grep 3813
OR
# ps aux | grep '[3]813'
Sample outputs:
vivek 3813 1.9 0.3 188372 26628 ? Sl 10:58 2:27 transmission
OR try the following ps command:
# ps -eo pid,user,group,args,etime,lstart | grep '[3]813'
Sample outputs:
3813 vivek vivek transmission 02:44:05 Fri Oct 29 10:58:40 2010
Another option is /proc/$PID/environ, enter:
# cat /proc/3813/environ
OR
# grep --color -w -a USER /proc/3813/environ
Sample outputs (note –colour option):
lsof Command Example
Type the command as follows:
lsof -i :portNumber lsof -i tcp:portNumber lsof -i udp:portNumber lsof -i :80 lsof -i :80 | grep LISTEN |
Sample outputs:
apache2 1607 root 3u IPv4 6472 0t0 TCP *:www (LISTEN) apache2 1616 www-data 3u IPv4 6472 0t0 TCP *:www (LISTEN) apache2 1617 www-data 3u IPv4 6472 0t0 TCP *:www (LISTEN) apache2 1618 www-data 3u IPv4 6472 0t0 TCP *:www (LISTEN) apache2 1619 www-data 3u IPv4 6472 0t0 TCP *:www (LISTEN) apache2 1620 www-data 3u IPv4 6472 0t0 TCP *:www (LISTEN)
Now, you get more information about pid # 1607 or 1616 and so on:
# ps aux | grep '[1]616'
Sample outputs:
www-data 1616 0.0 0.0 35816 3880 ? S 10:20 0:00 /usr/sbin/apache2 -k start
I recommend the following command to grab info about pid # 1616:
# ps -eo pid,user,group,args,etime,lstart | grep '[1]616'
Sample outputs:
1616 www-data www-data /usr/sbin/apache2 -k start 03:16:22 Fri Oct 29 10:20:17 2010
Where,
- 1616 : PID
- www-date : User name (owner – EUID)
- www-date : Group name (group – EGID)
- /usr/sbin/apache2 -k start : The command name and its args
- 03:16:22 : Elapsed time since the process was started, in the form [[dd-]hh:]mm:ss.
- Fri Oct 29 10:20:17 2010 : Time the command started.
Help: I Discover an Open Port Which I Don’t Recognize At All
The file /etc/services is used to map port numbers and protocols to service names. Try matching port numbers:
$ grep port /etc/services
$ grep 443 /etc/services
Sample outputs:
https 443/tcp # http protocol over TLS/SSL https 443/udp
Check For rootkit
I strongly recommend that you find out which processes are really running, especially servers connected to the high speed Internet access. You can look for rootkit which is a program designed to take fundamental control (in Linux / UNIX terms “root” access, in Windows terms “Administrator” access) of a computer system, without authorization by the system’s owners and legitimate managers. See how to detecting / checking rootkits under Linux.
Keep an Eye On Your Bandwidth Graphs
Usually, rooted servers are used to send a large number of spam or malware or DoS style attacks on other computers.
See also:
See the following man pages for more information:
$ man ps
$ man grep
$ man lsof
$ man netstat
$ man fuser