Copyrighted material

Linux: Find Out Which Process Is Listening Upon a Port

Posted By nixCraft <webmaster@cyberciti.biz> On October 31, 2010 @ 6:02 pm [ 23 Comments ]

ow do I find out running processes were associated with each open port? How do I find
out what process has open tcp port 111 or udp port 7000 under Linux?

You can the following programs to find out about port numbers and its associated process:
1. netstat - a command-line tool that displays network connections, routing tables, and a
number of network interface statistics.
2. fuser - a command line tool to identify processes using files or sockets.
3. lsof - a command line tool to list open files under Linux / UNIX to report a list of all
open files and the processes that opened them.
4. /proc/$pid/ file system - Under Linux /proc includes a directory for each running process (including kernel
processes) at /proc/PID, containing information about that process, notably including the processes name that
opened port.

[1]

You must run above command(s) as the root user.

netstat example
Type the following command:
# netstat -tulpn
Sample outputs:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address
name
tcp
0
0 127.0.0.1:3306
tcp
0
0 0.0.0.0:111
tcp
0
0 0.0.0.0:80
tcp
0
0 0.0.0.0:55091
tcp
0
0 192.168.122.1:53
tcp
0
0 0.0.0.0:22
tcp
0
0 127.0.0.1:631
tcp
0
0 0.0.0.0:7000
3813/transmission
tcp6
0
0 :::22
tcp6
0
0 ::1:631
tcp6
0
0 :::7000
3813/transmission
udp
0
0 0.0.0.0:111
udp
0
0 0.0.0.0:662
udp
0
0 192.168.122.1:53
udp
0
0 0.0.0.0:67
udp
0
0 0.0.0.0:68
udp
0
0 0.0.0.0:7000
3813/transmission
udp
0
0 0.0.0.0:54746

Foreign Address

State

PID/Program

0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*

LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN

1138/mysqld
850/portmap
1607/apache2
910/rpc.statd
1467/dnsmasq
992/sshd
1565/cupsd

:::*
:::*
:::*

LISTEN
LISTEN
LISTEN

992/sshd
1565/cupsd

0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*

850/portmap
910/rpc.statd
1467/dnsmasq
1467/dnsmasq
3697/dhclient

0.0.0.0:*

910/rpc.statd

TCP port 3306 was opened by mysqld process having PID # 1138. You can verify this using /proc, enter:
# ls -l /proc/1138/exe
Sample outputs:
nixCraft is GIT UL++++ W+++ C++++ M+ e+++ d-

Page 1 of 5

lrwxrwxrwx 1 root root 0 2010-10-29 10:20 /proc/1138/exe -> /usr/sbin/mysqld

You can use grep command [2] to filter out information:
# netstat -tulpn | grep :80
Sample outputs:
tcp

0 0.0.0.0:80

0.0.0.0:*

LISTEN

1607/apache2

Video demo

fuser command
Find out the processes PID that opened tcp port 7000, enter:
# fuser 7000/tcp
Sample outputs:
7000/tcp:

3813

Finally, find out process name associated with PID # 3813, enter:
# ls -l /proc/3813/exe
Sample outputs:
lrwxrwxrwx 1 vivek vivek 0 2010-10-29 11:00 /proc/3813/exe -> /usr/bin/transmission
/usr/bin/transmission is a bittorrent client, enter:
# man transmission
OR
# whatis transmission
Sample outputs:
nixCraft is GIT UL++++ W+++ C++++ M+ e+++ d-

Page 2 of 5

transmission (1)

- a bittorrent client

Task: Find Out Current Working Directory Of a Process

To find out current working directory of a process called bittorrent or pid 3813, enter:
# ls -l /proc/3813/cwd
Sample outputs:
lrwxrwxrwx 1 vivek vivek 0 2010-10-29 12:04 /proc/3813/cwd -> /home/vivek
OR use pwdx command, enter:
# pwdx 3813
Sample outputs:
3813: /home/vivek

Task: Find Out Owner Of a Process

Use the following command to find out the owner of a process PID called 3813:
# ps aux | grep 3813
OR
# ps aux | grep '[3]813' [3]
Sample outputs:
vivek

3813

1.9

0.3 188372 26628 ?

Sl

10:58

2:27 transmission

OR try the following ps command:

# ps -eo pid,user,group,args,etime,lstart | grep '[3]813'
Sample outputs:
3813 vivek

vivek

transmission

02:44:05 Fri Oct 29 10:58:40 2010

Another option is /proc/$PID/environ, enter:

# cat /proc/3813/environ
OR
# grep --color -w -a USER /proc/3813/environ
Sample outputs (note --colour option):

nixCraft is GIT UL++++ W+++ C++++ M+ e+++ d-

Page 3 of 5

[4]

Fig.01: grep output

lsof Command Example

Type the command as follows:
lsof
lsof
lsof
lsof
lsof

-i
-i
-i
-i
-i

:portNumber
tcp:portNumber
udp:portNumber
:80
:80 | grep LISTEN

Sample outputs:
apache2
apache2
apache2
apache2
apache2
apache2

1607
1616
1617
1618
1619
1620

root
www-data
www-data
www-data
www-data
www-data

3u
3u
3u
3u
3u
3u

IPv4
IPv4
IPv4
IPv4
IPv4
IPv4

6472
6472
6472
6472
6472
6472

0t0
0t0
0t0
0t0
0t0
0t0

TCP
TCP
TCP
TCP
TCP
TCP

*:www
*:www
*:www
*:www
*:www
*:www

(LISTEN)
(LISTEN)
(LISTEN)
(LISTEN)
(LISTEN)
(LISTEN)

Now, you get more information about pid # 1607 or 1616 and so on:
# ps aux | grep '[1]616'
Sample outputs:
www-data 1616 0.0 0.0 35816 3880 ? S 10:20 0:00 /usr/sbin/apache2 -k start
I recommend the following command to grab info about pid # 1616:
# ps -eo pid,user,group,args,etime,lstart | grep '[1]616'
Sample outputs:
1616 www-data www-data /usr/sbin/apache2 -k start

03:16:22 Fri Oct 29 10:20:17 2010

Where,
1616 : PID
www-date : User name (owner - EUID)
www-date : Group name (group - EGID)
nixCraft is GIT UL++++ W+++ C++++ M+ e+++ d-

Page 4 of 5

/usr/sbin/apache2 -k start : The command name and its args

03:16:22 : Elapsed time since the process was started, in the form [[dd-]hh:]mm:ss.
Fri Oct 29 10:20:17 2010 : Time the command started.

Help: I Discover an Open Port Which I Don't Recognize At All

The file /etc/services is used to map port numbers and protocols to service names. Try matching port numbers:
$ grep port /etc/services
$ grep 443 /etc/services
Sample outputs:
https
https

443/tcp
443/udp

# http protocol over TLS/SSL

Check For rootkit

I strongly recommend that you find out which processes are really running, especially servers connected to the high
speed Internet access. You can look for rootkit which is a program designed to take fundamental control (in Linux / UNIX
terms "root" access, in Windows terms "Administrator" access) of a computer system, without authorization by the system's
owners and legitimate managers. See how to detecting / checking rootkits under Linux [5].

Keep an Eye On Your Bandwidth Graphs

Usually, rooted servers are used to send a large number of spam or malware or DoS style attacks on other computers.
See also:
See the following man pages for more information:
$
$
$
$
$

man
man
man
man
man

ps
grep
lsof
netstat
fuser

Article printed from www.cyberciti.biz

URL to article: http://www.cyberciti.biz/faq/what-process-has-open-linux-port/
URLs in this post:
[1] Image: http://www.cyberciti.biz/faq/category/linux/
[2] grep command: http://www.cyberciti.biz/faq/howto-use-grep-command-in-linux-unix/
[3] ps aux | grep '[3]813': http://www.cyberciti.biz/tips/grepping-ps-output-without-getting-grep.html
[4] Image: http://www.cyberciti.biz/faq/what-process-has-open-linux-port/pid-owner/
[5] how to detecting / checking rootkits under Linux: http://www.cyberciti.biz/faq/howto-check-linux-rootkist-with-detectorssoftware/
Copyrighted material
Copyright 2006-2014 nixCraft. All rights reserved. This print / pdf version is for personal non-commercial use only. Unless otherwise indicated, the
documents and graphics stored on this Web server, www.cyberciti.biz, are copyrighted. Links to these documents are permitted and encouraged. No
copies may be made without permission. More details - http://www.cyberciti.biz/tips/copyright

nixCraft is GIT UL++++ W+++ C++++ M+ e+++ d-

Page 5 of 5