Linux / UNIX Find Out What Program / Service is Listening on a Specific TCP Port

by Vivek Gite on February 20, 2008 · 9 comments

Q. How do I find out which service is listening on a specific port? How do I find out what program is listening on a specific TCP Port?

A. Under Linux and UNIX you can use any one of the following command to get listing on a specific TCP port:
=> lsof : list open files including ports.

=> netstat : The netstat command symbolically displays the contents of various network-related data and information.

lsof command example

Type the following command to see IPv4 port(s), enter:
# lsof -Pnl +M -i4
Type the following command to see IPv6 listing port(s), enter:
# lsof -Pnl +M -i6
Sample output:

COMMAND    PID     USER   FD   TYPE DEVICE SIZE NODE NAME
gweather- 6591     1000   17u  IPv4 106812       TCP 192.168.1.100:57179->140.90.128.70:80 (ESTABLISHED)
firefox-b 6613     1000   29u  IPv4 106268       TCP 127.0.0.1:60439->127.0.0.1:3128 (ESTABLISHED)
firefox-b 6613     1000   31u  IPv4 106321       TCP 127.0.0.1:60440->127.0.0.1:3128 (ESTABLISHED)
firefox-b 6613     1000   44u  IPv4 106325       TCP 127.0.0.1:60441->127.0.0.1:3128 (ESTABLISHED)
firefox-b 6613     1000   50u  IPv4 106201       TCP 127.0.0.1:60437->127.0.0.1:3128 (ESTABLISHED)
deluge    6908     1000    8u  IPv4  23179       TCP *:6881 (LISTEN)
deluge    6908     1000   30u  IPv4  23185       UDP *:6881
deluge    6908     1000   45u  IPv4 106740       TCP 192.168.1.100:50584->217.169.223.161:38406 (SYN_SENT)
deluge    6908     1000   57u  IPv4  70529       TCP 192.168.1.100:57325->24.67.82.222:21250 (ESTABLISHED)
deluge    6908     1000   58u  IPv4 106105       TCP 192.168.1.100:38073->24.16.233.1:48479 (ESTABLISHED)
..........
......
ssh       6917     1000    3u  IPv4  23430       TCP 10.1.11.3:42658->10.10.29.66:22 (ESTABLISHED)

First column COMMAND - gives out information about program name. Please see output header for details. For example, gweather* command gets the weather report weather information from the U.S National Weather Service (NWS) servers (140.90.128.70), including the Interactive Weather Information Network (IWIN) and other weather services.
Where,

  1. -P : This option inhibits the conversion of port numbers to port names for network files. Inhibiting the conver-
    sion may make lsof run a little faster. It is also useful when port name lookup is not working properly.
  2. -n : This option inhibits the conversion of network numbers to host names for network files. Inhibiting conversion may make lsof run faster. It is also useful when host name lookup is not working properly.
  3. -l : This option inhibits the conversion of user ID numbers to login names. It is also useful when login name lookup is working improperly or slowly.
  4. +M : Enables the reporting of portmapper registrations for local TCP and UDP ports.
  5. -i4 : IPv4 listing only
  6. -i6 : IPv6 listing only

netstat command example

Type the command as follows:
# netstat -tulpn
OR
# netstat -npl
Output:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:6881            0.0.0.0:*               LISTEN     6908/python
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     5562/cupsd
tcp        0      0 127.0.0.1:3128          0.0.0.0:*               LISTEN     6278/(squid)
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     5854/exim4
udp        0      0 0.0.0.0:32769           0.0.0.0:*                          6278/(squid)
udp        0      0 0.0.0.0:3130            0.0.0.0:*                          6278/(squid)
udp        0      0 0.0.0.0:68              0.0.0.0:*                          4583/dhclient3
udp        0      0 0.0.0.0:6881            0.0.0.0:*                          6908/python

Last column PID/Program name gives out information regarding program name and port.
Where,

  • -t : TCP port
  • -u : UDP port
  • -l : Show only listening sockets.
  • -p : Show the PID and name of the program to which each socket / port belongs
  • -n : No DNS lookup (speed up operation)

/etc/services file

/etc/services is a plain ASCII file providing a mapping between friendly textual names for internet services, and their underlying assigned port numbers and protocol types. Every networking program should look into this file to get the port number (and protocol) for its service. You can view this file with the help of cat or less command:
$ cat /etc/services
$ grep 110 /etc/services
$ less /etc/services

Further readings:

  • man pages - lsof, nmap, services, netstat

Featured Articles:

Share this with other sys admins!
Facebook it - Tweet it - Print it -

{ 9 comments… read them below or add one }

1 Claudio Miranda February 20, 2008

netstat offers other argument to better visualize process and ports, inclusive root programs.

sudo netstat -antpuew

Reply

2 pinnacle February 20, 2008

Hey Claudio

FreeBSD 6.3 – netstat -antpuew
Error:
netstat: uew: unknown or uninstrumented protocol

Any idea? lsof is only working :(

Reply

3 Claudio Miranda February 21, 2008

pinnacle, the previous netstat arguments is available for linux, solaris and freebsd needs to use pfiles and lsof, respectively. Sorry, I didn’t say before.

Reply

4 Gagan Brahmi January 15, 2009

@ pinnacle

The following is your command:

# sockstat -4 -l

In case you want to list the IPV6 IP addresses, use the following command:

# sockstat -6 -l

Reply

5 pierpaolo1 May 20, 2009

Hi,
I have 2 ports without a process; here is part of my netstat -tulpn:

tcp 0 0 0.0.0.0:58571 0.0.0.0:* LISTEN 0 8491 –

udp 0 0 0.0.0.0:36388 0.0.0.0:* 0 8487 –

I tried with lsof and fuser but there is no way to find the owner of these ports.
Should I worry about it?

Reply

6 Vivek Gite May 20, 2009

Run netstat as root user. Than you will get PID in 2nd last output filed. Run lsof as follows on that PID:
lsof -p PID

Reply

7 pierpaolo1 May 20, 2009

It was as root user.
As you can see, other ports gave me PID and daemon name:

tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 3012/mysqld
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 3141/smbd
tcp 0 0 0.0.0.0:58571 0.0.0.0:* LISTEN –
tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN 3052/clamd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2628/portmap

but only two don’t give me PID or daemon name.

Reply

8 Billy Bob November 12, 2009

I have been looking into this problem too. I found one possible answer in rpcinfo. With this I was able to associate a port with nlockmgr.

But I still have a port without a process. So if there are any better solutions, please post here again.

Reply

9 ragab January 1, 2011

all commands work well in linux fedora except sockstat

Reply

Leave a Comment

You can use these HTML tags and attributes for your code and commands: <strong> <em> <ol> <li> <u> <ul> <blockquote> <pre> <a href="" title="">
What is 12 + 5 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the simple math so we know that you are a human and not a script.




Tagged as: , , , , , , , , , , , , , , , , ,

Previous post:

Next post: