≡ Menu

Linux: Find Out Which Process Is Listening Upon a Port

How do I find out running processes were associated with each open port? How do I find out what process has open tcp port 111 or udp port 7000 under Linux?

You can the following programs to find out about port numbers and its associated process:

  1. netstat - a command-line tool that displays network connections, routing tables, and a number of network interface statistics.
  2. fuser - a command line tool to identify processes using files or sockets.
  3. lsof - a command line tool to list open files under Linux / UNIX to report a list of all open files and the processes that opened them.
  4. /proc/$pid/ file system - Under Linux /proc includes a directory for each running process (including kernel processes) at /proc/PID, containing information about that process, notably including the processes name that opened port.

You must run above command(s) as the root user.

netstat example

Type the following command:
# netstat -tulpn
Sample outputs:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1138/mysqld
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      850/portmap
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1607/apache2
tcp        0      0 0.0.0.0:55091           0.0.0.0:*               LISTEN      910/rpc.statd
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      1467/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      992/sshd
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1565/cupsd
tcp        0      0 0.0.0.0:7000            0.0.0.0:*               LISTEN      3813/transmission
tcp6       0      0 :::22                   :::*                    LISTEN      992/sshd
tcp6       0      0 ::1:631                 :::*                    LISTEN      1565/cupsd
tcp6       0      0 :::7000                 :::*                    LISTEN      3813/transmission
udp        0      0 0.0.0.0:111             0.0.0.0:*                           850/portmap
udp        0      0 0.0.0.0:662             0.0.0.0:*                           910/rpc.statd
udp        0      0 192.168.122.1:53        0.0.0.0:*                           1467/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           1467/dnsmasq
udp        0      0 0.0.0.0:68              0.0.0.0:*                           3697/dhclient
udp        0      0 0.0.0.0:7000            0.0.0.0:*                           3813/transmission
udp        0      0 0.0.0.0:54746           0.0.0.0:*                           910/rpc.statd   

TCP port 3306 was opened by mysqld process having PID # 1138. You can verify this using /proc, enter:
# ls -l /proc/1138/exe
Sample outputs:

lrwxrwxrwx 1 root root 0 2010-10-29 10:20 /proc/1138/exe -> /usr/sbin/mysqld

You can use grep command to filter out information:
# netstat -tulpn | grep :80
Sample outputs:

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1607/apache2

Video demo

fuser command

Find out the processes PID that opened tcp port 7000, enter:
# fuser 7000/tcp
Sample outputs:

7000/tcp:             3813

Finally, find out process name associated with PID # 3813, enter:
# ls -l /proc/3813/exe
Sample outputs:

lrwxrwxrwx 1 vivek vivek 0 2010-10-29 11:00 /proc/3813/exe -> /usr/bin/transmission

/usr/bin/transmission is a bittorrent client, enter:
# man transmission
OR
# whatis transmission
Sample outputs:

transmission (1)     - a bittorrent client

Task: Find Out Current Working Directory Of a Process

To find out current working directory of a process called bittorrent or pid 3813, enter:
# ls -l /proc/3813/cwd
Sample outputs:

lrwxrwxrwx 1 vivek vivek 0 2010-10-29 12:04 /proc/3813/cwd -> /home/vivek

OR use pwdx command, enter:
# pwdx 3813
Sample outputs:

3813: /home/vivek

Task: Find Out Owner Of a Process

Use the following command to find out the owner of a process PID called 3813:
# ps aux | grep 3813
OR
# ps aux | grep '[3]813'
Sample outputs:

vivek     3813  1.9  0.3 188372 26628 ?        Sl   10:58   2:27 transmission

OR try the following ps command:
# ps -eo pid,user,group,args,etime,lstart | grep '[3]813'
Sample outputs:

3813 vivek    vivek    transmission                   02:44:05 Fri Oct 29 10:58:40 2010

Another option is /proc/$PID/environ, enter:
# cat /proc/3813/environ
OR
# grep --color -w -a USER /proc/3813/environ
Sample outputs (note --colour option):

Fig.01: grep output

Fig.01: grep output

lsof Command Example

Type the command as follows:

lsof -i :portNumber
lsof -i tcp:portNumber
lsof -i udp:portNumber
lsof -i :80
lsof -i :80 | grep LISTEN

Sample outputs:

apache2   1607     root    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1616 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1617 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1618 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1619 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1620 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)

Now, you get more information about pid # 1607 or 1616 and so on:
# ps aux | grep '[1]616'
Sample outputs:
www-data 1616 0.0 0.0 35816 3880 ? S 10:20 0:00 /usr/sbin/apache2 -k start
I recommend the following command to grab info about pid # 1616:
# ps -eo pid,user,group,args,etime,lstart | grep '[1]616'
Sample outputs:

1616 www-data www-data /usr/sbin/apache2 -k start     03:16:22 Fri Oct 29 10:20:17 2010

Where,

  • 1616 : PID
  • www-date : User name (owner - EUID)
  • www-date : Group name (group - EGID)
  • /usr/sbin/apache2 -k start : The command name and its args
  • 03:16:22 : Elapsed time since the process was started, in the form [[dd-]hh:]mm:ss.
  • Fri Oct 29 10:20:17 2010 : Time the command started.

Help: I Discover an Open Port Which I Don't Recognize At All

The file /etc/services is used to map port numbers and protocols to service names. Try matching port numbers:
$ grep port /etc/services
$ grep 443 /etc/services

Sample outputs:

https		443/tcp				# http protocol over TLS/SSL
https		443/udp

Check For rootkit

I strongly recommend that you find out which processes are really running, especially servers connected to the high speed Internet access. You can look for rootkit which is a program designed to take fundamental control (in Linux / UNIX terms "root" access, in Windows terms "Administrator" access) of a computer system, without authorization by the system's owners and legitimate managers. See how to detecting / checking rootkits under Linux.

Keep an Eye On Your Bandwidth Graphs

Usually, rooted servers are used to send a large number of spam or malware or DoS style attacks on other computers.

See also:

See the following man pages for more information:
$ man ps
$ man grep
$ man lsof
$ man netstat
$ man fuser

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

{ 39 comments… add one }

  • Yogesh October 31, 2010, 8:52 pm

    Very helpful… Thanks Vivek :-)
    Also, Please explain the use of [ ] in PS command

  • sean November 1, 2010, 9:32 am

    Nice. very useful.

  • Mihai November 1, 2010, 8:08 pm

    If you have a graphic shell on your server there is a graphical tool that does automatically some of this: Netactview.
    http://netactview.sourceforge.net/

  • cjk November 11, 2010, 10:12 pm

    netstat is obsolete in favor of iproute2’s /sbin/ss and /sbin/ip tools.

    • Naresh Kumar November 15, 2010, 3:20 am

      netstat -ntupla

      Thanks,
      Naresh

  • natarajan February 1, 2011, 11:54 am

    really impressive

  • plastical March 14, 2011, 9:19 pm

    Thanks! Very usefull!!!

  • Nikhil KS November 2, 2011, 12:30 pm

    Thank you, it was very helpful.

  • Bhushan K November 4, 2011, 7:14 am

    Thanks you very much for the vital info.

  • human November 15, 2011, 5:35 pm

    holyyyy from where you learn all of this stuff ?? thank you, i will call you master then

  • Jagat February 7, 2012, 10:26 am

    Thank you.

  • Akshay June 25, 2012, 2:15 am

    This is very useful. Thanks Vivek.

  • karthik September 6, 2012, 7:28 am

    This is really useful one. Thanks many!.

    karthik

  • Vijay March 2, 2013, 2:43 am

    Thank you so much!!

    Superb Knowledgeable website!!

  • ketan March 11, 2013, 7:05 pm

    I cannot figure out why I cannot connect to any services on my linux server. I get error message “failed to connect the services on server IP 10.1.3.15″
    My server is running, as well as my services;
    xms1:/home/ket> ps -eaf | grep drd
    bin 2719 1 0 Mar05 ? 00:00:41 /usr/local/sbin/ipcmdrd
    bin 2764 1 0 Mar05 ? 00:00:08 /usr/local/sbin/cfmcmdrd
    bin 2805 1 0 Mar05 ? 00:00:01 /usr/local/sbin/cfmproxycmdrd
    bin 2831 1 0 Mar05 ? 00:00:46 /usr/local/sbin/dnscmdrd
    bin 2879 1 0 Mar05 ? 00:00:14 /usr/local/sbin/mpscmdrd
    eti 10123 8708 0 12:04 pts/3 00:00:00 grep drd
    xms1:/home/ket> ps -eaf | grep -i jimc
    eti 10125 8708 0 12:04 pts/3 00:00:00 grep -i jimc
    root 31718 1 0 Mar07 ? 00:00:00 /bin/sh ./jimc start
    xms1:/home/ket>

    Where can I check for problem?

    • Josh November 24, 2014, 11:11 pm

      This really depends on a whole lot of factors, like what port the services are running on and if you are connecting remotely, firewall rules can come into play. There’s nowhere near enough information to troubleshoot connectivity to a service included unfortunately.

  • ermanno March 25, 2013, 6:57 pm

    Hello,
    is what I was looking
    Thank you
    ermanno

  • Sergey June 11, 2013, 11:55 pm

    Very helpful!

  • Shakeel August 2, 2013, 7:24 pm

    Thank you ………………………..Very Helpful

  • ritesh September 21, 2013, 10:37 am

    Thanks Alot.. nice article

    Regards
    Ritesh

  • kashif iqbal November 6, 2013, 5:48 pm

    Thanks it is really helpful ..
    All networking engineers working on Linux boxes should save this for their day to day work.

  • Sitaram December 24, 2013, 2:06 am

    Hi Vivek,

    I see many processes with “-” as PID/Program Name. How do I kill such processes?
    Please help!

    Thanks,
    Sitaram.

  • Prasanth March 5, 2014, 10:36 am

    Hi,
    Im trying this on a mac. the first command netstat -tulpn does not work. Is there an equivalent command for the mac ?

    • Nix Craft March 5, 2014, 11:01 am

      How about:

      netstat -nat | grep LISTEN

      Or try lsof command

      lsof -i
      lsof -i TCP
      lsof -i UDP
      lsof -i TCP @host:port
      lsof -p PID_HERE
      lsof -c COMMAND_HERE
      lsof -u username_here
      
      • Prasanth March 5, 2014, 11:47 am

        The lsof command worked before too.
        Netstat works with

        `$ netstat -nat | grep LISTEN `

  • Sho March 11, 2014, 4:46 pm

    Process that is using port 10000 (with all it’s launch parameters)

    netstat -tulpn 2> /dev/null | grep 10000 | awk '{print $NF}' | awk -F'/' '{print $1}' | xargs ps -f | cat
  • Hugo October 28, 2014, 11:35 pm

    I used this commands a lot but forgot them.
    This sure helped me today!

    Thanks for putting them here for a quick look :)

  • anvita November 4, 2014, 6:39 am

    how will you get to know about the number of clients that are configured on your system in linux?

  • tagraf November 26, 2014, 4:54 pm

    nmap localhost

  • Samer/Iraq December 1, 2014, 12:31 am

    I just want to say: Thank you .. really thank you from my heart for all the help that you offer through your website. I love you .. really love you and love your website style and (most importantly) the accuracy of the information and simplicity of presentation. I only have one consideration .. why and 1000 why the name (nixCraft) does not match the domain?

  • Rambabu December 8, 2014, 5:27 am

    Memory Used Total Percentage
    Real 15439M 16128M 95%
    Swap 17780M 22668M 78%

    any action i need to take here ?

  • Gtor December 24, 2014, 8:44 pm

    Alternative way:
    # sysdig evt.type=connect and fd.port=80

  • Pankaj December 28, 2014, 11:00 am

    Thanks for sharing info, very useful.

  • Prakash February 4, 2015, 11:13 am

    It helped in process and related memory awareness.

  • Sepahrad Salour March 9, 2015, 12:25 pm

    Thanks, Very useful article…

  • Edson March 11, 2015, 5:03 pm

    maaaan… you’re all crazy! LOL just kidding; great article !

  • vkson July 23, 2015, 4:19 am

    Thank you very much
    It very helpful

Leave a Comment