Linux: Find Out Which Process Is Listening Upon a Port

by on October 31, 2010 · 27 comments· LAST UPDATED June 25, 2012

in

How do I find out running processes were associated with each open port? How do I find out what process has open tcp port 111 or udp port 7000 under Linux?

You can the following programs to find out about port numbers and its associated process:

  1. netstat - a command-line tool that displays network connections, routing tables, and a number of network interface statistics.
  2. fuser - a command line tool to identify processes using files or sockets.
  3. lsof - a command line tool to list open files under Linux / UNIX to report a list of all open files and the processes that opened them.
  4. /proc/$pid/ file system - Under Linux /proc includes a directory for each running process (including kernel processes) at /proc/PID, containing information about that process, notably including the processes name that opened port.

You must run above command(s) as the root user.

netstat example

Type the following command:
# netstat -tulpn
Sample outputs:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1138/mysqld
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      850/portmap
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1607/apache2
tcp        0      0 0.0.0.0:55091           0.0.0.0:*               LISTEN      910/rpc.statd
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      1467/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      992/sshd
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1565/cupsd
tcp        0      0 0.0.0.0:7000            0.0.0.0:*               LISTEN      3813/transmission
tcp6       0      0 :::22                   :::*                    LISTEN      992/sshd
tcp6       0      0 ::1:631                 :::*                    LISTEN      1565/cupsd
tcp6       0      0 :::7000                 :::*                    LISTEN      3813/transmission
udp        0      0 0.0.0.0:111             0.0.0.0:*                           850/portmap
udp        0      0 0.0.0.0:662             0.0.0.0:*                           910/rpc.statd
udp        0      0 192.168.122.1:53        0.0.0.0:*                           1467/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           1467/dnsmasq
udp        0      0 0.0.0.0:68              0.0.0.0:*                           3697/dhclient
udp        0      0 0.0.0.0:7000            0.0.0.0:*                           3813/transmission
udp        0      0 0.0.0.0:54746           0.0.0.0:*                           910/rpc.statd   

TCP port 3306 was opened by mysqld process having PID # 1138. You can verify this using /proc, enter:
# ls -l /proc/1138/exe
Sample outputs:

lrwxrwxrwx 1 root root 0 2010-10-29 10:20 /proc/1138/exe -> /usr/sbin/mysqld

You can use grep command to filter out information:
# netstat -tulpn | grep :80
Sample outputs:

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1607/apache2

Video demo

fuser command

Find out the processes PID that opened tcp port 7000, enter:
# fuser 7000/tcp
Sample outputs:

7000/tcp:             3813

Finally, find out process name associated with PID # 3813, enter:
# ls -l /proc/3813/exe
Sample outputs:

lrwxrwxrwx 1 vivek vivek 0 2010-10-29 11:00 /proc/3813/exe -> /usr/bin/transmission

/usr/bin/transmission is a bittorrent client, enter:
# man transmission
OR
# whatis transmission
Sample outputs:

transmission (1)     - a bittorrent client

Task: Find Out Current Working Directory Of a Process

To find out current working directory of a process called bittorrent or pid 3813, enter:
# ls -l /proc/3813/cwd
Sample outputs:

lrwxrwxrwx 1 vivek vivek 0 2010-10-29 12:04 /proc/3813/cwd -> /home/vivek

OR use pwdx command, enter:
# pwdx 3813
Sample outputs:

3813: /home/vivek

Task: Find Out Owner Of a Process

Use the following command to find out the owner of a process PID called 3813:
# ps aux | grep 3813
OR
# ps aux | grep '[3]813'
Sample outputs:

vivek     3813  1.9  0.3 188372 26628 ?        Sl   10:58   2:27 transmission

OR try the following ps command:
# ps -eo pid,user,group,args,etime,lstart | grep '[3]813'
Sample outputs:

3813 vivek    vivek    transmission                   02:44:05 Fri Oct 29 10:58:40 2010

Another option is /proc/$PID/environ, enter:
# cat /proc/3813/environ
OR
# grep --color -w -a USER /proc/3813/environ
Sample outputs (note --colour option):

Fig.01: grep output

Fig.01: grep output

lsof Command Example

Type the command as follows:

lsof -i :portNumber
lsof -i tcp:portNumber
lsof -i udp:portNumber
lsof -i :80
lsof -i :80 | grep LISTEN

Sample outputs:

apache2   1607     root    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1616 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1617 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1618 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1619 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1620 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)

Now, you get more information about pid # 1607 or 1616 and so on:
# ps aux | grep '[1]616'
Sample outputs:
www-data 1616 0.0 0.0 35816 3880 ? S 10:20 0:00 /usr/sbin/apache2 -k start
I recommend the following command to grab info about pid # 1616:
# ps -eo pid,user,group,args,etime,lstart | grep '[1]616'
Sample outputs:

1616 www-data www-data /usr/sbin/apache2 -k start     03:16:22 Fri Oct 29 10:20:17 2010

Where,

  • 1616 : PID
  • www-date : User name (owner - EUID)
  • www-date : Group name (group - EGID)
  • /usr/sbin/apache2 -k start : The command name and its args
  • 03:16:22 : Elapsed time since the process was started, in the form [[dd-]hh:]mm:ss.
  • Fri Oct 29 10:20:17 2010 : Time the command started.

Help: I Discover an Open Port Which I Don't Recognize At All

The file /etc/services is used to map port numbers and protocols to service names. Try matching port numbers:
$ grep port /etc/services
$ grep 443 /etc/services

Sample outputs:

https		443/tcp				# http protocol over TLS/SSL
https		443/udp

Check For rootkit

I strongly recommend that you find out which processes are really running, especially servers connected to the high speed Internet access. You can look for rootkit which is a program designed to take fundamental control (in Linux / UNIX terms "root" access, in Windows terms "Administrator" access) of a computer system, without authorization by the system's owners and legitimate managers. See how to detecting / checking rootkits under Linux.

Keep an Eye On Your Bandwidth Graphs

Usually, rooted servers are used to send a large number of spam or malware or DoS style attacks on other computers.

See also:

See the following man pages for more information:
$ man ps
$ man grep
$ man lsof
$ man netstat
$ man fuser

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 27 comments… read them below or add one }

1 Yogesh October 31, 2010 at 8:52 pm

Very helpful… Thanks Vivek :-)
Also, Please explain the use of [ ] in PS command

Reply

2 nixCraft November 1, 2010 at 6:41 am
3 Yogesh November 1, 2010 at 7:13 am

Woow….
Never thought about this..

Reply

4 sean November 1, 2010 at 9:32 am

Nice. very useful.

Reply

5 Mihai November 1, 2010 at 8:08 pm

If you have a graphic shell on your server there is a graphical tool that does automatically some of this: Netactview.
http://netactview.sourceforge.net/

Reply

6 cjk November 11, 2010 at 10:12 pm

netstat is obsolete in favor of iproute2’s /sbin/ss and /sbin/ip tools.

Reply

7 Naresh Kumar November 15, 2010 at 3:20 am

netstat -ntupla

Thanks,
Naresh

Reply

8 natarajan February 1, 2011 at 11:54 am

really impressive

Reply

9 plastical March 14, 2011 at 9:19 pm

Thanks! Very usefull!!!

Reply

10 Nikhil KS November 2, 2011 at 12:30 pm

Thank you, it was very helpful.

Reply

11 Bhushan K November 4, 2011 at 7:14 am

Thanks you very much for the vital info.

Reply

12 human November 15, 2011 at 5:35 pm

holyyyy from where you learn all of this stuff ?? thank you, i will call you master then

Reply

13 Jagat February 7, 2012 at 10:26 am

Thank you.

Reply

14 Akshay June 25, 2012 at 2:15 am

This is very useful. Thanks Vivek.

Reply

15 karthik September 6, 2012 at 7:28 am

This is really useful one. Thanks many!.

karthik

Reply

16 Vijay March 2, 2013 at 2:43 am

Thank you so much!!

Superb Knowledgeable website!!

Reply

17 ketan March 11, 2013 at 7:05 pm

I cannot figure out why I cannot connect to any services on my linux server. I get error message “failed to connect the services on server IP 10.1.3.15″
My server is running, as well as my services;
xms1:/home/ket> ps -eaf | grep drd
bin 2719 1 0 Mar05 ? 00:00:41 /usr/local/sbin/ipcmdrd
bin 2764 1 0 Mar05 ? 00:00:08 /usr/local/sbin/cfmcmdrd
bin 2805 1 0 Mar05 ? 00:00:01 /usr/local/sbin/cfmproxycmdrd
bin 2831 1 0 Mar05 ? 00:00:46 /usr/local/sbin/dnscmdrd
bin 2879 1 0 Mar05 ? 00:00:14 /usr/local/sbin/mpscmdrd
eti 10123 8708 0 12:04 pts/3 00:00:00 grep drd
xms1:/home/ket> ps -eaf | grep -i jimc
eti 10125 8708 0 12:04 pts/3 00:00:00 grep -i jimc
root 31718 1 0 Mar07 ? 00:00:00 /bin/sh ./jimc start
xms1:/home/ket>

Where can I check for problem?

Reply

18 ermanno March 25, 2013 at 6:57 pm

Hello,
is what I was looking
Thank you
ermanno

Reply

19 Sergey June 11, 2013 at 11:55 pm

Very helpful!

Reply

20 Shakeel August 2, 2013 at 7:24 pm

Thank you ………………………..Very Helpful

Reply

21 ritesh September 21, 2013 at 10:37 am

Thanks Alot.. nice article

Regards
Ritesh

Reply

22 kashif iqbal November 6, 2013 at 5:48 pm

Thanks it is really helpful ..
All networking engineers working on Linux boxes should save this for their day to day work.

Reply

23 Sitaram December 24, 2013 at 2:06 am

Hi Vivek,

I see many processes with “-” as PID/Program Name. How do I kill such processes?
Please help!

Thanks,
Sitaram.

Reply

24 Prasanth March 5, 2014 at 10:36 am

Hi,
Im trying this on a mac. the first command netstat -tulpn does not work. Is there an equivalent command for the mac ?

Reply

25 Nix Craft March 5, 2014 at 11:01 am

How about:

netstat -nat | grep LISTEN

Or try lsof command

lsof -i
lsof -i TCP
lsof -i UDP
lsof -i TCP @host:port
lsof -p PID_HERE
lsof -c COMMAND_HERE
lsof -u username_here

Reply

26 Prasanth March 5, 2014 at 11:47 am

The lsof command worked before too.
Netstat works with

`$ netstat -nat | grep LISTEN `

Reply

27 Sho March 11, 2014 at 4:46 pm

Process that is using port 10000 (with all it’s launch parameters)

netstat -tulpn 2> /dev/null | grep 10000 | awk '{print $NF}' | awk -F'/' '{print $1}' | xargs ps -f | cat

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , ,

Previous Faq:

Next Faq: