Linux: Find Out Which Process Is Listening Upon a Port

by on October 31, 2010 · 33 comments· LAST UPDATED June 25, 2012

in

How do I find out running processes were associated with each open port? How do I find out what process has open tcp port 111 or udp port 7000 under Linux?

You can the following programs to find out about port numbers and its associated process:

  1. netstat - a command-line tool that displays network connections, routing tables, and a number of network interface statistics.
  2. fuser - a command line tool to identify processes using files or sockets.
  3. lsof - a command line tool to list open files under Linux / UNIX to report a list of all open files and the processes that opened them.
  4. /proc/$pid/ file system - Under Linux /proc includes a directory for each running process (including kernel processes) at /proc/PID, containing information about that process, notably including the processes name that opened port.

You must run above command(s) as the root user.

netstat example

Type the following command:
# netstat -tulpn
Sample outputs:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1138/mysqld
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      850/portmap
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1607/apache2
tcp        0      0 0.0.0.0:55091           0.0.0.0:*               LISTEN      910/rpc.statd
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      1467/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      992/sshd
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1565/cupsd
tcp        0      0 0.0.0.0:7000            0.0.0.0:*               LISTEN      3813/transmission
tcp6       0      0 :::22                   :::*                    LISTEN      992/sshd
tcp6       0      0 ::1:631                 :::*                    LISTEN      1565/cupsd
tcp6       0      0 :::7000                 :::*                    LISTEN      3813/transmission
udp        0      0 0.0.0.0:111             0.0.0.0:*                           850/portmap
udp        0      0 0.0.0.0:662             0.0.0.0:*                           910/rpc.statd
udp        0      0 192.168.122.1:53        0.0.0.0:*                           1467/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           1467/dnsmasq
udp        0      0 0.0.0.0:68              0.0.0.0:*                           3697/dhclient
udp        0      0 0.0.0.0:7000            0.0.0.0:*                           3813/transmission
udp        0      0 0.0.0.0:54746           0.0.0.0:*                           910/rpc.statd   

TCP port 3306 was opened by mysqld process having PID # 1138. You can verify this using /proc, enter:
# ls -l /proc/1138/exe
Sample outputs:

lrwxrwxrwx 1 root root 0 2010-10-29 10:20 /proc/1138/exe -> /usr/sbin/mysqld

You can use grep command to filter out information:
# netstat -tulpn | grep :80
Sample outputs:

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1607/apache2

Video demo

fuser command

Find out the processes PID that opened tcp port 7000, enter:
# fuser 7000/tcp
Sample outputs:

7000/tcp:             3813

Finally, find out process name associated with PID # 3813, enter:
# ls -l /proc/3813/exe
Sample outputs:

lrwxrwxrwx 1 vivek vivek 0 2010-10-29 11:00 /proc/3813/exe -> /usr/bin/transmission

/usr/bin/transmission is a bittorrent client, enter:
# man transmission
OR
# whatis transmission
Sample outputs:

transmission (1)     - a bittorrent client

Task: Find Out Current Working Directory Of a Process

To find out current working directory of a process called bittorrent or pid 3813, enter:
# ls -l /proc/3813/cwd
Sample outputs:

lrwxrwxrwx 1 vivek vivek 0 2010-10-29 12:04 /proc/3813/cwd -> /home/vivek

OR use pwdx command, enter:
# pwdx 3813
Sample outputs:

3813: /home/vivek

Task: Find Out Owner Of a Process

Use the following command to find out the owner of a process PID called 3813:
# ps aux | grep 3813
OR
# ps aux | grep '[3]813'
Sample outputs:

vivek     3813  1.9  0.3 188372 26628 ?        Sl   10:58   2:27 transmission

OR try the following ps command:
# ps -eo pid,user,group,args,etime,lstart | grep '[3]813'
Sample outputs:

3813 vivek    vivek    transmission                   02:44:05 Fri Oct 29 10:58:40 2010

Another option is /proc/$PID/environ, enter:
# cat /proc/3813/environ
OR
# grep --color -w -a USER /proc/3813/environ
Sample outputs (note --colour option):

Fig.01: grep output

Fig.01: grep output

lsof Command Example

Type the command as follows:

lsof -i :portNumber
lsof -i tcp:portNumber
lsof -i udp:portNumber
lsof -i :80
lsof -i :80 | grep LISTEN

Sample outputs:

apache2   1607     root    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1616 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1617 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1618 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1619 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1620 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)

Now, you get more information about pid # 1607 or 1616 and so on:
# ps aux | grep '[1]616'
Sample outputs:
www-data 1616 0.0 0.0 35816 3880 ? S 10:20 0:00 /usr/sbin/apache2 -k start
I recommend the following command to grab info about pid # 1616:
# ps -eo pid,user,group,args,etime,lstart | grep '[1]616'
Sample outputs:

1616 www-data www-data /usr/sbin/apache2 -k start     03:16:22 Fri Oct 29 10:20:17 2010

Where,

  • 1616 : PID
  • www-date : User name (owner - EUID)
  • www-date : Group name (group - EGID)
  • /usr/sbin/apache2 -k start : The command name and its args
  • 03:16:22 : Elapsed time since the process was started, in the form [[dd-]hh:]mm:ss.
  • Fri Oct 29 10:20:17 2010 : Time the command started.

Help: I Discover an Open Port Which I Don't Recognize At All

The file /etc/services is used to map port numbers and protocols to service names. Try matching port numbers:
$ grep port /etc/services
$ grep 443 /etc/services

Sample outputs:

https		443/tcp				# http protocol over TLS/SSL
https		443/udp

Check For rootkit

I strongly recommend that you find out which processes are really running, especially servers connected to the high speed Internet access. You can look for rootkit which is a program designed to take fundamental control (in Linux / UNIX terms "root" access, in Windows terms "Administrator" access) of a computer system, without authorization by the system's owners and legitimate managers. See how to detecting / checking rootkits under Linux.

Keep an Eye On Your Bandwidth Graphs

Usually, rooted servers are used to send a large number of spam or malware or DoS style attacks on other computers.

See also:

See the following man pages for more information:
$ man ps
$ man grep
$ man lsof
$ man netstat
$ man fuser

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 33 comments… read them below or add one }

1 Yogesh October 31, 2010 at 8:52 pm

Very helpful… Thanks Vivek :-)
Also, Please explain the use of [ ] in PS command

Reply

2 nixCraft November 1, 2010 at 6:41 am
3 Yogesh November 1, 2010 at 7:13 am

Woow….
Never thought about this..

Reply

4 sean November 1, 2010 at 9:32 am

Nice. very useful.

Reply

5 Mihai November 1, 2010 at 8:08 pm

If you have a graphic shell on your server there is a graphical tool that does automatically some of this: Netactview.
http://netactview.sourceforge.net/

Reply

6 cjk November 11, 2010 at 10:12 pm

netstat is obsolete in favor of iproute2’s /sbin/ss and /sbin/ip tools.

Reply

7 Naresh Kumar November 15, 2010 at 3:20 am

netstat -ntupla

Thanks,
Naresh

Reply

8 natarajan February 1, 2011 at 11:54 am

really impressive

Reply

9 plastical March 14, 2011 at 9:19 pm

Thanks! Very usefull!!!

Reply

10 Nikhil KS November 2, 2011 at 12:30 pm

Thank you, it was very helpful.

Reply

11 Bhushan K November 4, 2011 at 7:14 am

Thanks you very much for the vital info.

Reply

12 human November 15, 2011 at 5:35 pm

holyyyy from where you learn all of this stuff ?? thank you, i will call you master then

Reply

13 Jagat February 7, 2012 at 10:26 am

Thank you.

Reply

14 Akshay June 25, 2012 at 2:15 am

This is very useful. Thanks Vivek.

Reply

15 karthik September 6, 2012 at 7:28 am

This is really useful one. Thanks many!.

karthik

Reply

16 Vijay March 2, 2013 at 2:43 am

Thank you so much!!

Superb Knowledgeable website!!

Reply

17 ketan March 11, 2013 at 7:05 pm

I cannot figure out why I cannot connect to any services on my linux server. I get error message “failed to connect the services on server IP 10.1.3.15″
My server is running, as well as my services;
xms1:/home/ket> ps -eaf | grep drd
bin 2719 1 0 Mar05 ? 00:00:41 /usr/local/sbin/ipcmdrd
bin 2764 1 0 Mar05 ? 00:00:08 /usr/local/sbin/cfmcmdrd
bin 2805 1 0 Mar05 ? 00:00:01 /usr/local/sbin/cfmproxycmdrd
bin 2831 1 0 Mar05 ? 00:00:46 /usr/local/sbin/dnscmdrd
bin 2879 1 0 Mar05 ? 00:00:14 /usr/local/sbin/mpscmdrd
eti 10123 8708 0 12:04 pts/3 00:00:00 grep drd
xms1:/home/ket> ps -eaf | grep -i jimc
eti 10125 8708 0 12:04 pts/3 00:00:00 grep -i jimc
root 31718 1 0 Mar07 ? 00:00:00 /bin/sh ./jimc start
xms1:/home/ket>

Where can I check for problem?

Reply

18 Josh November 24, 2014 at 11:11 pm

This really depends on a whole lot of factors, like what port the services are running on and if you are connecting remotely, firewall rules can come into play. There’s nowhere near enough information to troubleshoot connectivity to a service included unfortunately.

Reply

19 ermanno March 25, 2013 at 6:57 pm

Hello,
is what I was looking
Thank you
ermanno

Reply

20 Sergey June 11, 2013 at 11:55 pm

Very helpful!

Reply

21 Shakeel August 2, 2013 at 7:24 pm

Thank you ………………………..Very Helpful

Reply

22 ritesh September 21, 2013 at 10:37 am

Thanks Alot.. nice article

Regards
Ritesh

Reply

23 kashif iqbal November 6, 2013 at 5:48 pm

Thanks it is really helpful ..
All networking engineers working on Linux boxes should save this for their day to day work.

Reply

24 Sitaram December 24, 2013 at 2:06 am

Hi Vivek,

I see many processes with “-” as PID/Program Name. How do I kill such processes?
Please help!

Thanks,
Sitaram.

Reply

25 Prasanth March 5, 2014 at 10:36 am

Hi,
Im trying this on a mac. the first command netstat -tulpn does not work. Is there an equivalent command for the mac ?

Reply

26 Nix Craft March 5, 2014 at 11:01 am

How about:

netstat -nat | grep LISTEN

Or try lsof command

lsof -i
lsof -i TCP
lsof -i UDP
lsof -i TCP @host:port
lsof -p PID_HERE
lsof -c COMMAND_HERE
lsof -u username_here

Reply

27 Prasanth March 5, 2014 at 11:47 am

The lsof command worked before too.
Netstat works with

`$ netstat -nat | grep LISTEN `

Reply

28 Sho March 11, 2014 at 4:46 pm

Process that is using port 10000 (with all it’s launch parameters)

netstat -tulpn 2> /dev/null | grep 10000 | awk '{print $NF}' | awk -F'/' '{print $1}' | xargs ps -f | cat

Reply

29 Hugo October 28, 2014 at 11:35 pm

I used this commands a lot but forgot them.
This sure helped me today!

Thanks for putting them here for a quick look :)

Reply

30 anvita November 4, 2014 at 6:39 am

how will you get to know about the number of clients that are configured on your system in linux?

Reply

31 tagraf November 26, 2014 at 4:54 pm

nmap localhost

Reply

32 Samer/Iraq December 1, 2014 at 12:31 am

I just want to say: Thank you .. really thank you from my heart for all the help that you offer through your website. I love you .. really love you and love your website style and (most importantly) the accuracy of the information and simplicity of presentation. I only have one consideration .. why and 1000 why the name (nixCraft) does not match the domain?

Reply

33 Rambabu December 8, 2014 at 5:27 am

Memory Used Total Percentage
Real 15439M 16128M 95%
Swap 17780M 22668M 78%

any action i need to take here ?

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , ,

Previous Faq:

Next Faq: