Determining what process is bound to a port
I know that using the command:
lsof -i TCP
(or some variant of parameters with lsof) I can determine which process is bound to a particular port. This is useful say if I'm trying to start something that wants to bind to 8080 and some else is already using that port, but I don't know what.
Is there an easy way to do this without using lsof? I spend time working on many systems and lsof is often not installed.
netstat -lnpwill list the pid and process name next to each listening port. This will work under Linux, but not all others (like AIX.) Add
-tif you want TCP only.
# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:24800 0.0.0.0:* LISTEN 27899/synergys tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 3361/python tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2264/mysqld tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 22964/apache2 tcp 0 0 192.168.99.1:53 0.0.0.0:* LISTEN 3389/named tcp 0 0 192.168.88.1:53 0.0.0.0:* LISTEN 3389/named
Cool, thanks. Looks like that that works under RHEL, but not under Solaris (as you indicated). Anybody know if there's something similar for Solaris?
On AIX, netstat & rmsock can be used to determine process binding:
[[email protected]] netstat -Ana|grep LISTEN|grep 80 f100070000280bb0 tcp4 0 0 *.37 *.* LISTEN f1000700025de3b0 tcp 0 0 *.80 *.* LISTEN f1000700002803b0 tcp4 0 0 *.111 *.* LISTEN f1000700021b33b0 tcp4 0 0 127.0.0.1.32780 *.* LISTEN # Port 80 maps to f1000700025de3b0 above, so we type: [[email protected]] rmsock f1000700025de3b0 tcpcb The socket 0x25de008 is being held by process 499790 (java).
Thanks for this! Is there a way, however, to just display what process listen on the socket (instead of using rmsock which attempt to remove it) ?
@OlivierDulac: "Unlike what its name implies, rmsock does not remove the socket, if it is being used by a process. It just reports the process holding the socket." (https://www.ibm.com/developerworks/community/blogs/cgaix/entry/rmsock?lang=en)
Another tool available on Linux is ss. From the ss man page on Fedora:
NAME ss - another utility to investigate sockets SYNOPSIS ss [options] [ FILTER ] DESCRIPTION ss is used to dump socket statistics. It allows showing information similar to netstat. It can display more TCP and state informations than other tools.
Example output below - the final column shows the process binding:
[[email protected]] ss -ap State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 :::http :::* users:(("httpd",20891,4),("httpd",20894,4),("httpd",20895,4),("httpd",20896,4) LISTEN 0 128 127.0.0.1:munin *:* users:(("munin-node",1278,5)) LISTEN 0 128 :::ssh :::* users:(("sshd",1175,4)) LISTEN 0 128 *:ssh *:* users:(("sshd",1175,3)) LISTEN 0 10 127.0.0.1:smtp *:* users:(("sendmail",1199,4)) LISTEN 0 128 127.0.0.1:x11-ssh-offset *:* users:(("sshd",25734,8)) LISTEN 0 128 ::1:x11-ssh-offset :::* users:(("sshd",25734,7))
I was once faced with trying to determine what process was behind a particular port (this time it was 8000). I tried a variety of lsof and netstat, but then took a chance and tried hitting the port via a browser (i.e. http://hostname:8000/). Lo and behold, a splash screen greeted me, and it became obvious what the process was (for the record, it was Splunk).
One more thought: "ps -e -o pid,args" (YMMV) may sometimes show the port number in the arguments list. Grep is your friend!