K2375: Using the netstat command to identify which ports a process uses
Non-Diagnostic
Original Publication Date: Sep 27, 2004
Update Date: Jan 8, 2016
Topic
You can use the netstat command to view programs that are running on specific ports though the following methods:
Identify the port protocol control block and the corresponding process. Identify the PID of the process's connection.
Identifying the port control block and the corresponding process
To determine which program is listening on a specified port, perform the following steps:
1. Find the kernel address of the protocol control blocks associated with each connection, by using the netstat command with the -A option.
For example, to view the control blocks that are used for programs listening on the loopback address 127.0.0.1, you would type the following command:
netstat -nA | grep 127\.0\.0\.1 | grep LISTEN
The output would appear similar to the following:
a28e8600 tcp 0 0 127.0.0.1.389 *.* LISTEN a28e8a00 tcp 0 0 127.0.0.100.53 *.* LISTEN a20bce00 tcp 0 0 127.0.0.1.9001 *.* LISTEN a20bcc00 tcp 0 0 127.0.0.1.2121 *.* LISTEN a3c8a600 tcp 0 0 127.0.0.1.8007 *.* LISTEN a3c8a800 tcp 0 0 127.0.0.1.8053 *.* LISTEN a3c8aa00 tcp 0 0 127.0.0.1.8054 *.* LISTEN a236d400 tcp 0 0 127.0.0.1.53 *.* LISTEN
The first column of the output contains the protocol control block identifier.
2. Find the process that owns that protocol control block, by using the fstat command and filtering for specified protocol control block identifier.
For example:
fstat | grep a28e8600 2.
The output would appear similar to the following:
root slapd 25200 2* internet stream tcp a28e8600
In this example, slapd, the OpenLDAP daemon, is the process is listening on 127.0.0.1 port 389 tcp.
Identifying the PID
A more advanced technique to view programs listening on specified ports is to use the netstat command to find the PID for the specific instance of a process that has a connection. This becomes necessary when several processes are all listening on the same local port.
For example: netstat -n | grep 192\.0\.2\.203\.22
The output would appear similar to the following: tcp 0 0 192.0.2.203.22 192.0.2.210.33548 ESTABLISHED tcp 0 0 192.0.2.203.22 192.0.2.209.14392 ESTABLISHED tcp 0 48 192.0.2.203.22 192.0.2.39.1447 ESTABLISHED
In this example, there are several SSH connections to this system. Each connection is connected to the same local port, port 22 TCP
To view the instances of sshd that are running, type the following command: ps -ax |grep sshd
The output would appear similar to the following, where PID 15217 is the root process and the rest are the child processes.
9332 15217 0 0 ?? 28 0 R 0.0 0.3 816 (sshd) 9394 15217 0 0 ?? 2 0 I 0.0 0.3 792 (sshd) 9411 15217 0 0 ?? 2 0 I 0.0 0.3 792 (sshd) 15217 1 0 0 ?? 2 0 Is 0.0 0.1 352 /usr/sbin/sshd
To view which processes are responsible for the connection between 192.0.2.203 port 22 and 192.0.2.39 port 1447 first identify the control block structure, by typing the following command: netstat -nA | grep 192\.0\.2\.203 | grep 192\.0\.2\.39
The output would appear similar to the following: a236da00 tcp 0 48 192.0.2.203.22 192.0.2.39.1447 ESTABLISHED
You can use this to trace the block back to the PID, by typing the following command: fstat | grep a236da00 The ouput would appear similar to the following: root sshd 9332 4* internet stream tcp a236da00
This indicates that PID 9332 is the connection between 192.0.2.203 port 22 and 192.0.2.39 port 1447.
Note: If this example had contained multiple connections between 192.0.2.203 and 192.0.2.39, the example grep filter would have also had to contain the port number in addition to the address.
Applies to:
Product: Legacy Products, BIG-IP 4.x, 3-DNS 4.6.4