Linux what process use port

Linux Find Out Which Process Is Listening Upon a Port

Linux Find Out Which Process Is Listening Upon a Port

You can the following programs to find out about port numbers and its associated process:

1. netstat command or ss command – a command-line tool that displays network connections, routing tables, and a number of network interface statistics.
2. fuser command – a command line tool to identify processes using files or sockets.
3. lsof command – a command line tool to list open files under Linux / UNIX to report a list of all open files and the processes that opened them.
4. /proc/$pid/ file system – Under Linux /proc includes a directory for each running process (including kernel processes) at /proc/PID, containing information about that process, notably including the processes name that opened port.

You must run above command(s) as the root user.

Linux netstat command find out which process is listing upon a port

Type the following command:
# netstat -tulpn
Sample outputs:

TCP port 3306 was opened by mysqld process having PID # 1138. You can verify this using /proc, enter:
# ls -l /proc/1138/exe
Sample outputs:

You can use grep command or egrep command to filter out information:
# netstat -tulpn | grep :80
Sample outputs:

A note about ss command

Some Linux distro considered the nestat command as deprecated and therefore should be phased out in favor of more modern replacements such as ss command. The syntax is:
$ sudo ss -tulpn
$ sudo ss -tulpn | grep :3306

Click to enlarge image

Video demo

fuser command

Find out the processes PID that opened tcp port 7000, enter:
# fuser 7000/tcp
Sample outputs:

Finally, find out process name associated with PID # 3813, enter:
# ls -l /proc/3813/exe
Sample outputs:

/usr/bin/transmission is a bittorrent client, enter:
# man transmission
OR
# whatis transmission
Sample outputs:

Find Out Current Working Directory Of a Process

To find out current working directory of a process called bittorrent or pid 3813, enter:
# ls -l /proc/3813/cwd
Sample outputs:

OR use pwdx command, enter:
# pwdx 3813
Sample outputs:

• No ads and tracking
• In-depth guides for developers and sysadmins at Opensourceflare✨
• Join my Patreon to support independent content creators and start reading latest guides:
  • How to set up Redis sentinel cluster on Ubuntu or Debian Linux
  • How To Set Up SSH Keys With YubiKey as two-factor authentication (U2F/FIDO2)
  • How to set up Mariadb Galera cluster on Ubuntu or Debian Linux
  • A podman tutorial for beginners – part I (run Linux containers without Docker and in daemonless mode)
  • How to protect Linux against rogue USB devices using USBGuard

Join Patreon ➔

Find Out Owner Of a Process on Linux

Use the following command to find out the owner of a process PID called 3813:
# ps aux | grep 3813
OR
# ps aux | grep ‘[3]813’
Sample outputs:

OR try the following ps command:
# ps -eo pid,user,group,args,etime,lstart | grep ‘[3]813’
Sample outputs:

Another option is /proc/$PID/environ, enter:
# cat /proc/3813/environ
OR
# grep —color -w -a USER /proc/3813/environ
Sample outputs (note –colour option):

Fig.01: grep output

lsof Command Example

Type the command as follows:

Now, you get more information about pid # 1607 or 1616 and so on:
# ps aux | grep ‘[1]616’
Sample outputs:
www-data 1616 0.0 0.0 35816 3880 ? S 10:20 0:00 /usr/sbin/apache2 -k start
I recommend the following command to grab info about pid # 1616:
# ps -eo pid,user,group,args,etime,lstart | grep ‘[1]616’
Sample outputs:

• 1616 : PID
• www-date : User name (owner – EUID)
• www-date : Group name (group – EGID)
• /usr/sbin/apache2 -k start : The command name and its args
• 03:16:22 : Elapsed time since the process was started, in the form [[dd-]hh:]mm:ss.
• Fri Oct 29 10:20:17 2010 : Time the command started.

Help: I Discover an Open Port Which I Don’t Recognize At All

The file /etc/services is used to map port numbers and protocols to service names. Try matching port numbers:
$ grep port /etc/services
$ grep 443 /etc/services
Sample outputs:

Check For rootkit

I strongly recommend that you find out which processes are really running, especially servers connected to the high speed Internet access. You can look for rootkit which is a program designed to take fundamental control (in Linux / UNIX terms “root” access, in Windows terms “Administrator” access) of a computer system, without authorization by the system’s owners and legitimate managers. See how to detecting / checking rootkits under Linux.

Keep an Eye On Your Bandwidth Graphs

Usually, rooted servers are used to send a large number of spam or malware or DoS style attacks on other computers.

Conlcusion

You learned various Linux commands to find information about running process and their ports. See the following man pages for more information:
$ man ps
$ man grep
$ man lsof
$ man netstat
$ man fuser

🐧 Get the latest tutorials on Linux, Open Source & DevOps via

Источник

3 Ways to Find Out Which Process Listening on a Particular Port

A port is a logical entity that represents an endpoint of communication and is associated with a given process or service in an operating system. In previous articles, we explained how to find out the list of all open ports in Linux and how to check if remote ports are reachable using the Netcat command.

In this short guide, we will show different ways of finding the process/service listening on a particular port in Linux.

1. Using netstat Command

netstat (network statistics) command is used to display information concerning network connections, routing tables, interface stats, and beyond. It is available on all Unix-like operating systems including Linux and also on Windows OS.

In case you do not have it installed by default, use the following command to install it.

Once installed, you can use it with the grep command to find the process or service listening on a particular port in Linux as follows (specify the port).

Check Port Using netstat Command

In the above command, the flags.

• l – tells netstat to only show listening sockets.
• t – tells it to display tcp connections.
• n – instructs it to show numerical addresses.
• p – enables showing of the process ID and the process name.
• grep -w – shows matching of exact string (:80).

Note: The netstat command is deprecated and replaced by the modern ss command in Linux.

2. Using lsof Command

lsof command (List Open Files) is used to list all open files on a Linux system.

To install it on your system, type the command below.

To find the process/service listening on a particular port, type (specify the port).

Find Port Using lsof Command

3. Using fuser Command

fuser command shows the PIDs of processes using the specified files or file systems in Linux.

You can install it as follows:

You can find the process/service listening on a particular port by running the command below (specify the port).

Then find the process name using PID number with the ps command like so.

Find Port and Process ID in Linux

You can also check out these useful guides about processes in Linux.

That’s all! Do you know of any other ways of finding the process/service listening on a particular port in Linux, let us know via the comment form below.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

We are thankful for your never ending support.

Источник

How to Find the Port Opened By a Process on Linux

In this tutorial you will learn how to find the port of a process running on a Linux system.

This is a very common thing we need to know when we manage applications on Linux, especially if they have been configured by someone else.

How do you find the port of a process running on Linux?

The netstat command allows to see the connections from and to our current Linux systems and it provides flags that also show which process a specific connection is related to. In the netstat output you can also see the port opened by a specific process. You can also see which ports are opened on a Linux system using the lsof, ss and fuser commands.

You will learn which netstat flags to use to show the port opened by a process on Linux and other tricks that can be very useful to manage a Linux system.

We will also go through alternatives to netstat like lsof, ss and fuser.

What Ports Are Listening on Linux?

I see often that the concept of port is not easy to grasp for those who start learning about Linux.

A port is a communication channel opened on a Linux system when a process starts, ports allow users or programs outside of the Linux system to communicate with it.

All the examples in this tutorial are based on a common application running on Linux systems, an Apache Web Server.

When started, Apache opens ports (usually 80 or 443) that allow users to access static content or web pages hosted on our Linux system.

Ports are represented by numbers from 0 to 65535. The following table shows the meaning of different port ranges:

Port Range	How these ports are used
0 to 1023	Well known ports or system ports. Used by system processes to provide standard network services. Only processes with superuser privileges can open a port in this range on a Linux system.
1024 to 49151	Registered ports. These ports are assigned by IANA for specific applications (e.g. 1521 for Oracle). They can be opened on a system without superuser privileges.
49152 to 65535	Dynamic or private ports. They cannot be registered with IANA and they are used for automatically allocating ephemeral ports.

The file /etc/services on Linux contains the details of all the reserved ports.

For example, using the grep command let’s find the port assigned to the SMTP protocol:

As you can see port 25 is used by the SMTP protocol, it’s one of the well-known ports considering that its value is lower than 1023 (do you remember the previous table?)

Another concept related to the concept of port is the socket.

What is a Linux socket?

A Linux socket is the combination of IP address, protocol (e.g. TCP or UDP) and port. TCP stands for Transmission Control Protocol, UDP stands for User Datagram Protocol.

Let’s start with the first command!

Netstat Command to Check Ports Listening on Linux

The main command to check open ports on a Linux system is netstat.

If I want to verify which ports are open, I can use the command netstat -na together with the grep command to filter only ports that are in listening state:

The grep command uses the -w flag to match the exact word “LISTEN”. It wouldn’t match a line that contains the word “LISTENING”.

But something is missing in the output, I would like to see what each column means…

Using egrep I can filter the output using a OR logic that shows the lines that match either “Local Address” (one of the column names) or “LISTEN”.

Here is the meaning of the main columns:

• Proto: protocol used by the socket (tcp, udp, etc..)
• Local Address: address and port number of the local end of the socket.
• Foreign Address: address and port number of the remote end of the socket.
• State: state of the socket (LISTEN, ESTABLISHED, etc..)

When I look at the output of the netstat command I can see a list of sockets (protocol, IP address and port). And I can also quickly see that there is no Apache Web Server running on this Linux server.

Because I don’t see a TCP port that I could associate to a web server, for example 80 or 443.

Let’s verify the status of Apache using the systemctl command:

As you can see Apache is inactive, let’s start it!

And now the output of the netstat command is:

This time port 80 is in LISTEN state.

Confirming The Apache Port with Netstat

I’m pretty sure this is the port for the Apache Web Server, but how can I confirm that?

The netstat command provides an additional flag to show the PID and the name of the program a specific socket relates to. The -p flag, where p stands for program:

Hmmm, I was expecting to see something next to LISTEN that would give me more details about the programs opening each port.

As you can see, the values of the column PID/Program name (ID and name of the process that owns the socket) are not visible.

Why I can’t see anything?

Only the process owner and the root user can retrieve detailed informations about processes running on a Linux system.

So, who is the owner of the Apache process? The ps command can help us find this out:

The parent process with PID 5256 has been started by root and the child processes by the apache user.

The reason why I can’t see any details about the PID of the processes using the netstat command, is that I’m running the command as the ec2-user.

To see more details in the output I have to provide the sudo command before the netstat command.

This time the output is a lot better!

I can see that the httpd process with PID 5256 has opened port 80.

The -n flag in our netstat command shows addresses in a numerical form, this applies to both IP addresses and ports.

Have a look at output if we remove the -n flag:

Can you see the difference?

The netstat command is one of the most used commands to verify network connections on a Linux system.

Check If a Port is Open with Lsof

The lsof command stands for “List of open files” and it’s used to list all the files opened by processes on Linux.

But, what have files to do with open ports?

As I mentioned before…

Everything in Linux is a file and sockets are special types of files.

Let’s see how to use the lsof command to see which port is being opened by our Apache Web Server…

…don’t forget the sudo command as I explained before. Also remember that the PID for Apache on my Linux system is 5256:

The -p flag takes as argument the PID of the process for which we want to find out the port, and the TCP *:http part of the output shows that the port opened by that process is the http port.

What if I want to know the port number mapped to http?

You can add the -P flag that disables the conversion from port numbers to port names:

This shows that the Apache process has opened port 80 on my Linux host.

And what if I want to find the process opening a different port?

I can use the -i flag that retrieves the list of files that match the Internet address specified after the flag.

The generic syntax is:

Let’s see it in practice:

In the output of the lsof command you can see useful details like process name, PID and user owner.

You can also pass multiple ports to the lsof command:

Using The SS Command To Find Open Ports on Linux

What is the ss command?

The ss command is similar to the netstat command and it can be used to retrieve details about sockets on Linux.

You will notice similar flags to the netstat ones.

The following command shows listening sockets ( -l flag ), the name of the process (or processes) opening the socket ( -p flag ) and filters only based on TCP sockets ( -t flag).

The format of the output has also something similar to the netstat output, have a look at the column names…

To also see any UDP port in listening state, you can add the -u flag:

Now, I want to see just the process (or processes) that listen on port 80.

How do I do it with ss?

Here is the generic syntax of the ss command:

The second argument is a filter, let’s see an example of the filter for port 80:

You can see the word sport in the filter, it stands for source port.

As with every command, you can use the man command to see more details about ss.

And this is not the end, there’s another command!

Use the Linux Fuser Command to Find a TCP Port

It’s very cool how Linux allows to do the same thing in many different ways!

Another option you have is the fuser command.

The fuser command identities processes using files or sockets on a Linux system.

So, to find the PID of the processes that are opening TCP port 80 you can use the following command:

You can also replace http with 80:

You can then use the ps command to see more details about the PIDs returned by the fuser command.

But there’s also a quicker option…

Try to pass the -v flag to the fuser command:

You also get details about the processes opening port 80. Very useful!

Conclusion

We went through so many options to get the port opened by a Linux process and also to get the PIDs starting from a port number.

It’s critical to know all the ports that are open on your Linux system to keep your system secure.

Because services running on well-known ports can be exploited to get access to your Linux system in case the version of your service is subject to vulnerabilities.

So, keeping an eye to ports in LISTEN state on your machine is the first step to keep it secure.

Which command do you prefer to find the port opened by a process? Netstat, lsof, ss or fuser?

Источник