How can you find out what process has established a connection to a server on a particular port?
First, get a list of all ports with a connection established to the port in question, we’ll use 1521 for this example.
#netstat -an | grep 1521 | grep ESTABLISHED
What this command shows us:
The options passed to netstat show us first, all sockets, both listening and non-listening (-a), and second, does not attempt to resolve ip addresses to hostnames (-n). From the output of this command, we first grep for the port number we are looking for, and then further limit the results to only connections in an ESTABLISHED state.
The output will look something like this:
tcp 0 0 192.168.1.5:58014 192.168.1.5:1521 ESTABLISHED
Netstat output columns:
Column 1: Protocol
Column2 : Recv-Q
Column 3: Send-Q
Column 4: Local Address
Column 5: Foreign Address
Column 6: State
We care about the Local Address column, as this is the originating ip address and port.
Limit the output of the netstat command to only give the Local Address (column 4) using awk.
#netstat -an | grep 1521 | grep ESTABLISHED | awk '{print $4}'
To get just the list of unique port numbers, we need to split the ip address and port combination and eliminate any local ports that match what we’re searching for as we already know the process that is supposed to be listening on the port (1521 is usually Oracle).
#netstat -an | grep 1521 | grep ESTABLISHED | awk '{print $4}' | cut -d: -f 2 | grep -v 1521 | sort -n
The command ‘cut’ splits the string based on the delimiter character passed to the -d option, in this case the colon. Then the -f option tells the command to only return field 2 of the split string, so in the case of the string “ip:port”, the cut command will only return the port. The grep with the -v option will exclude any lines with that port and finally we sort everything numerically.
In the end, we should just have a list of numbers, which are the outgoing ports of all socket connections to port 1521.
34775
36573
37589
37994
Now that we have a list of ports, we need to find out what process is using those ports. To this end, we will use the command lsof which will give us the PID of the process listening on the ports found above.
Let’s loop through the list of ports:
# PORT_LIST=`netstat -an | grep 1521 | grep ESTABLISHED | awk '{print $4}' | cut -d: -f 2 | grep -v 1521`
# for port in $PORT_LIST; do
lsof | grep $port | grep TCP | awk '{print $2}'
done | sort -un
lsof output columns:
Column 1: COMMAND
Column 2: PID
Column 3: USER
Column 4: FD
Column 5: TYPE
Column 6: DEVICE
Column 7: SIZE/OFF
Column 8: NODE
Column 9: NAME
We are filtering the output of lsof first by the port number we are looking for. The port shows up in the NAME column. Next, we want to make sure to further filter by NODE TCP. Once those are filtered, then we pull out the value in the PID column.
Once the loop is done, we pipe the whole output to the sort command to sort the PID values numerically (-n) and eliminate duplicates (-u).
2943
2947
2960
2984
Now that we have a list of PIDs, all that’s left is to get the actual process name associated with those PIDs. We’ll combine this into another for loop.
# PORT_LIST=`netstat -an | grep 1521 | grep ESTABLISHED | awk '{print $4}' | cut -d: -f 2 | grep -v 1521`
# PID_LIST=`for port in $PORT_LIST; do lsof | grep $port | grep TCP | awk '{print $2}'; done | sort -un`
# for pid in $PID_LIST; do
ps -p $pid -f
done
And now we have the list of processes with established connections to port 1521.
Comments Off on What process is connected to a TCP port