Linux Find Out Which Process Is Listening Upon a Port

How do I find out running processes were associated with each open port on Linux? How do I find out what process has open TCP port # 111 or UDP port 7000 under Linux using the CLI?

A port is nothing but an endpoint of communication used in computer networks. You have physical or wireless connections at the hardware level. At software or operating system level a port act as a logical construct that acts as communication port of network service such as SSH, HTTPD and more. TCP and UDP are the most common port. TCP is an acronym for Transmission Control Protocol. UDP is an acronym for User Datagram Protocol. See the several difference between UDP and TCP internet protocols here. This page shows Linux commands to find out which process is listing upon a TCP or UDP port.

ADVERTISEMENTS

Linux Find Out Which Process Is Listening Upon a Port

You can the following programs to find out about port numbers and its associated process:

  1. netstat command or ss command – a command-line tool that displays network connections, routing tables, and a number of network interface statistics.
  2. fuser command – a command line tool to identify processes using files or sockets.
  3. lsof command – a command line tool to list open files under Linux / UNIX to report a list of all open files and the processes that opened them.
  4. /proc/$pid/ file system – Under Linux /proc includes a directory for each running process (including kernel processes) at /proc/PID, containing information about that process, notably including the processes name that opened port.

You must run above command(s) as the root user.

Linux netstat command find out which process is listing upon a port

Type the following command:
# netstat -tulpn
Sample outputs:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1138/mysqld     
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      850/portmap     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1607/apache2    
tcp        0      0 0.0.0.0:55091           0.0.0.0:*               LISTEN      910/rpc.statd   
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      1467/dnsmasq    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      992/sshd        
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1565/cupsd      
tcp        0      0 0.0.0.0:7000            0.0.0.0:*               LISTEN      3813/transmission
tcp6       0      0 :::22                   :::*                    LISTEN      992/sshd        
tcp6       0      0 ::1:631                 :::*                    LISTEN      1565/cupsd      
tcp6       0      0 :::7000                 :::*                    LISTEN      3813/transmission
udp        0      0 0.0.0.0:111             0.0.0.0:*                           850/portmap     
udp        0      0 0.0.0.0:662             0.0.0.0:*                           910/rpc.statd   
udp        0      0 192.168.122.1:53        0.0.0.0:*                           1467/dnsmasq    
udp        0      0 0.0.0.0:67              0.0.0.0:*                           1467/dnsmasq    
udp        0      0 0.0.0.0:68              0.0.0.0:*                           3697/dhclient   
udp        0      0 0.0.0.0:7000            0.0.0.0:*                           3813/transmission
udp        0      0 0.0.0.0:54746           0.0.0.0:*                           910/rpc.statd   

TCP port 3306 was opened by mysqld process having PID # 1138. You can verify this using /proc, enter:
# ls -l /proc/1138/exe
Sample outputs:

lrwxrwxrwx 1 root root 0 2010-10-29 10:20 /proc/1138/exe -> /usr/sbin/mysqld

You can use grep command or egrep command to filter out information:
# netstat -tulpn | grep :80
Sample outputs:

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1607/apache2

A note about ss command

Some Linux distro considered the nestat command as deprecated and therefore should be phased out in favor of more modern replacements such as ss command. The syntax is:
$ sudo ss -tulpn
$ sudo ss -tulpn | grep :3306

Linux Find Out Which Process Is Listening Upon a Port

Click to enlarge image

Video demo

fuser command

Find out the processes PID that opened tcp port 7000, enter:
# fuser 7000/tcp
Sample outputs:

7000/tcp:             3813

Finally, find out process name associated with PID # 3813, enter:
# ls -l /proc/3813/exe
Sample outputs:

lrwxrwxrwx 1 vivek vivek 0 2010-10-29 11:00 /proc/3813/exe -> /usr/bin/transmission

/usr/bin/transmission is a bittorrent client, enter:
# man transmission
OR
# whatis transmission
Sample outputs:

transmission (1)     - a bittorrent client

Find Out Current Working Directory Of a Process

To find out current working directory of a process called bittorrent or pid 3813, enter:
# ls -l /proc/3813/cwd
Sample outputs:

lrwxrwxrwx 1 vivek vivek 0 2010-10-29 12:04 /proc/3813/cwd -> /home/vivek

OR use pwdx command, enter:
# pwdx 3813
Sample outputs:

3813: /home/vivek

Find Out Owner Of a Process on Linux

Use the following command to find out the owner of a process PID called 3813:
# ps aux | grep 3813
OR
# ps aux | grep '[3]813'
Sample outputs:

vivek     3813  1.9  0.3 188372 26628 ?        Sl   10:58   2:27 transmission

OR try the following ps command:
# ps -eo pid,user,group,args,etime,lstart | grep '[3]813'
Sample outputs:

3813 vivek    vivek    transmission                   02:44:05 Fri Oct 29 10:58:40 2010

Another option is /proc/$PID/environ, enter:
# cat /proc/3813/environ
OR
# grep --color -w -a USER /proc/3813/environ
Sample outputs (note –colour option):

Fig.01: grep output

Fig.01: grep output

lsof Command Example

Type the command as follows:

lsof -i :portNumber 
lsof -i tcp:portNumber 
lsof -i udp:portNumber 
lsof -i :80
lsof -i :80 | grep LISTEN

Sample outputs:

apache2   1607     root    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1616 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1617 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1618 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1619 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)
apache2   1620 www-data    3u  IPv4   6472      0t0  TCP *:www (LISTEN)

Now, you get more information about pid # 1607 or 1616 and so on:
# ps aux | grep '[1]616'
Sample outputs:
www-data 1616 0.0 0.0 35816 3880 ? S 10:20 0:00 /usr/sbin/apache2 -k start
I recommend the following command to grab info about pid # 1616:
# ps -eo pid,user,group,args,etime,lstart | grep '[1]616'
Sample outputs:

1616 www-data www-data /usr/sbin/apache2 -k start     03:16:22 Fri Oct 29 10:20:17 2010

Where,

  • 1616 : PID
  • www-date : User name (owner – EUID)
  • www-date : Group name (group – EGID)
  • /usr/sbin/apache2 -k start : The command name and its args
  • 03:16:22 : Elapsed time since the process was started, in the form [[dd-]hh:]mm:ss.
  • Fri Oct 29 10:20:17 2010 : Time the command started.

Help: I Discover an Open Port Which I Don’t Recognize At All

The file /etc/services is used to map port numbers and protocols to service names. Try matching port numbers:
$ grep port /etc/services
$ grep 443 /etc/services

Sample outputs:

https		443/tcp				# http protocol over TLS/SSL
https		443/udp

Check For rootkit

I strongly recommend that you find out which processes are really running, especially servers connected to the high speed Internet access. You can look for rootkit which is a program designed to take fundamental control (in Linux / UNIX terms “root” access, in Windows terms “Administrator” access) of a computer system, without authorization by the system’s owners and legitimate managers. See how to detecting / checking rootkits under Linux.

Keep an Eye On Your Bandwidth Graphs

Usually, rooted servers are used to send a large number of spam or malware or DoS style attacks on other computers.

Conlcusion

You learned various Linux commands to find information about running process and their ports. See the following man pages for more information:
$ man ps
$ man grep
$ man lsof
$ man netstat
$ man fuser

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
50 comments… add one
  • Yogesh Oct 31, 2010 @ 20:52

    Very helpful… Thanks Vivek :-)
    Also, Please explain the use of [ ] in PS command

  • sean Nov 1, 2010 @ 9:32

    Nice. very useful.

  • Mihai Nov 1, 2010 @ 20:08

    If you have a graphic shell on your server there is a graphical tool that does automatically some of this: Netactview.
    http://netactview.sourceforge.net/

  • cjk Nov 11, 2010 @ 22:12

    netstat is obsolete in favor of iproute2’s /sbin/ss and /sbin/ip tools.

    • Naresh Kumar Nov 15, 2010 @ 3:20

      netstat -ntupla

      Thanks,
      Naresh

  • natarajan Feb 1, 2011 @ 11:54

    really impressive

  • plastical Mar 14, 2011 @ 21:19

    Thanks! Very usefull!!!

  • Nikhil KS Nov 2, 2011 @ 12:30

    Thank you, it was very helpful.

  • Bhushan K Nov 4, 2011 @ 7:14

    Thanks you very much for the vital info.

  • human Nov 15, 2011 @ 17:35

    holyyyy from where you learn all of this stuff ?? thank you, i will call you master then

  • Jagat Feb 7, 2012 @ 10:26

    Thank you.

  • Akshay Jun 25, 2012 @ 2:15

    This is very useful. Thanks Vivek.

  • karthik Sep 6, 2012 @ 7:28

    This is really useful one. Thanks many!.

    karthik

  • Vijay Mar 2, 2013 @ 2:43

    Thank you so much!!

    Superb Knowledgeable website!!

  • ketan Mar 11, 2013 @ 19:05

    I cannot figure out why I cannot connect to any services on my linux server. I get error message “failed to connect the services on server IP 10.1.3.15”
    My server is running, as well as my services;
    xms1:/home/ket> ps -eaf | grep drd
    bin 2719 1 0 Mar05 ? 00:00:41 /usr/local/sbin/ipcmdrd
    bin 2764 1 0 Mar05 ? 00:00:08 /usr/local/sbin/cfmcmdrd
    bin 2805 1 0 Mar05 ? 00:00:01 /usr/local/sbin/cfmproxycmdrd
    bin 2831 1 0 Mar05 ? 00:00:46 /usr/local/sbin/dnscmdrd
    bin 2879 1 0 Mar05 ? 00:00:14 /usr/local/sbin/mpscmdrd
    eti 10123 8708 0 12:04 pts/3 00:00:00 grep drd
    xms1:/home/ket> ps -eaf | grep -i jimc
    eti 10125 8708 0 12:04 pts/3 00:00:00 grep -i jimc
    root 31718 1 0 Mar07 ? 00:00:00 /bin/sh ./jimc start
    xms1:/home/ket>

    Where can I check for problem?

    • Josh Nov 24, 2014 @ 23:11

      This really depends on a whole lot of factors, like what port the services are running on and if you are connecting remotely, firewall rules can come into play. There’s nowhere near enough information to troubleshoot connectivity to a service included unfortunately.

  • ermanno Mar 25, 2013 @ 18:57

    Hello,
    is what I was looking
    Thank you
    ermanno

  • Sergey Jun 11, 2013 @ 23:55

    Very helpful!

  • Shakeel Aug 2, 2013 @ 19:24

    Thank you ………………………..Very Helpful

  • ritesh Sep 21, 2013 @ 10:37

    Thanks Alot.. nice article

    Regards
    Ritesh

  • kashif iqbal Nov 6, 2013 @ 17:48

    Thanks it is really helpful ..
    All networking engineers working on Linux boxes should save this for their day to day work.

  • Sitaram Dec 24, 2013 @ 2:06

    Hi Vivek,

    I see many processes with “-” as PID/Program Name. How do I kill such processes?
    Please help!

    Thanks,
    Sitaram.

  • Prasanth Mar 5, 2014 @ 10:36

    Hi,
    Im trying this on a mac. the first command netstat -tulpn does not work. Is there an equivalent command for the mac ?

    • 🐧 Nix Craft Mar 5, 2014 @ 11:01

      How about:

      netstat -nat | grep LISTEN

      Or try lsof command

      lsof -i
      lsof -i TCP
      lsof -i UDP
      lsof -i TCP @host:port
      lsof -p PID_HERE 
      lsof -c COMMAND_HERE
      lsof -u username_here
      
      • Prasanth Mar 5, 2014 @ 11:47

        The lsof command worked before too.
        Netstat works with

        `$ netstat -nat | grep LISTEN `

  • Sho Mar 11, 2014 @ 16:46

    Process that is using port 10000 (with all it’s launch parameters)

    netstat -tulpn 2> /dev/null | grep 10000 | awk '{print $NF}' | awk -F'/' '{print $1}' | xargs ps -f | cat
  • Hugo Oct 28, 2014 @ 23:35

    I used this commands a lot but forgot them.
    This sure helped me today!

    Thanks for putting them here for a quick look :)

  • anvita Nov 4, 2014 @ 6:39

    how will you get to know about the number of clients that are configured on your system in linux?

  • tagraf Nov 26, 2014 @ 16:54

    nmap localhost

  • Samer/Iraq Dec 1, 2014 @ 0:31

    I just want to say: Thank you .. really thank you from my heart for all the help that you offer through your website. I love you .. really love you and love your website style and (most importantly) the accuracy of the information and simplicity of presentation. I only have one consideration .. why and 1000 why the name (nixCraft) does not match the domain?

  • Rambabu Dec 8, 2014 @ 5:27

    Memory Used Total Percentage
    Real 15439M 16128M 95%
    Swap 17780M 22668M 78%

    any action i need to take here ?

  • Gtor Dec 24, 2014 @ 20:44

    Alternative way:
    # sysdig evt.type=connect and fd.port=80

  • Pankaj Dec 28, 2014 @ 11:00

    Thanks for sharing info, very useful.

  • Prakash Feb 4, 2015 @ 11:13

    It helped in process and related memory awareness.

  • Sepahrad Salour Mar 9, 2015 @ 12:25

    Thanks, Very useful article…

  • Edson Mar 11, 2015 @ 17:03

    maaaan… you’re all crazy! LOL just kidding; great article !

  • vkson Jul 23, 2015 @ 4:19

    Thank you very much
    It very helpful

  • Saket Aug 7, 2015 @ 8:16

    Thanks a ton! After much googling, this answer helped perfectly.

  • navy Oct 9, 2015 @ 16:13

    Thanks a lot. It is really helpful.

  • praveen Oct 12, 2015 @ 0:49

    Thanks for this article. really helpful and keep sharing :)

  • boga Nov 19, 2015 @ 15:23

    Thank you for this article.
    It has helped me so much.

  • David Jan 6, 2016 @ 11:37

    Great info, what if you don’t know when the process will be run. The methods above seem like they would help when the process is running, but I have someone using an old DNS address from a server. We know the OS has been updated, so there is an app somewhere on the system with the old DNS server entered into it and server owner has no idea what it could be. When I run the command I don’t see anything on port 53, but know at least a couple times a day it reaches out. Other than have it output to text file every 5 seconds, is there a way to trigger this when the port is used?

  • Marveringius Oct 14, 2016 @ 11:22

    Very helpful!

  • Mahmoud Dec 11, 2016 @ 9:00

    how do you find all the listening ports associated with a process

  • Wellington Torrejais da Silva Apr 19, 2017 @ 17:56

    Thanks!

  • Diego Amicabile Aug 13, 2017 @ 23:32

    Sometimes it may be necessary to sudo your commands. “netstat -tulpn” does not return the information I need on my system, but “sudo netstat -tulpn” does.

  • Niranjan Aug 14, 2017 @ 13:59

    Thanks a ton, for sharing!

  • Nihar Paital Sep 26, 2017 @ 12:33

    Very Helpful

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.