netstat process details with the IP address - linux

My netstat command is as below on the Centos machine
#netstat -n | grep 172.18.0.6 | more
tcp 0 0 172.18.0.1:57332 172.18.0.6:8444 FIN_WAIT2
I want to find out which process is running with the IP address 172.18.0.1 . Any way to find out the same

I think you are looking for the netstat -p option.
#netstat -np | grep 172.18.0.6 | more
Should work.

You can use lsof.
If you want to see which service is running in port 57332:
lsof -i TCP:57332
or by IP:
lsof -i |grep 172.18.0.1

You can use
netstat -apn | grep 172.18.0.6 | more
to get also the sockets that are listening.

Related

To which port is a process attached in Linux

I want to know which port is my Jonas, on which a Java project has been deployed, is attached to in a Linux server. I have the pid of the Jonas and tried netstat -lnp but I found no port attached to that PID.
Any idea of how to do this.
Open a terminal application i.e. shell prompt.
Run any one of the following command:
sudo lsof -i -P -n | grep LISTEN
sudo netstat -tulpn | grep LISTEN
sudo nmap -sTU -O IP-address-Here
lsof command
The syntax is:
$ sudo lsof -i -P -n
$ sudo lsof -i -P -n | grep LISTEN
$ doas lsof -i -P -n | grep LISTEN ### [OpenBSD] ###
There are many ways to do, I prefer this
sudo netstat -pan |grep pid
Also, you can use
sudo lsof -Pan -p pid -i
pid should be actual "pid" number that you have

how to find network connections from a PID

I have a PID and i am trying to find the network connections that are attached to that PID.
i have placed the pid into a variable $PID.
So far I have tried using netstat to do it. I have tried the following
netstat -p | grep $PID
netstat | grep $PID
but these do not seem to grep anything or find what im looking for. What would be the best way to find these?
strace will do the job:
strace -p $PID -f -e trace=network -s 10000
-s 1000 increases the maximum string size to print, which is 32 by default.
Check out this question on unix.stackexchange.com for alternatives.
You can also use netstat. Just replace -p with -nap.
netstat -nap | grep {CMD-of-PID}
its from cmd of pid actually.

grep the result of some Command(eg. netstat -apn)

When you want to know which port was already in use you can use netstat -apn | grep 27777. The result is below:
> tcp 0 0 ::ffff:43.69.96.68:27777 :::* LISTEN 79339/java
Then you can find which process use the PID 79339.
ps -aux | grep 79339
Now I wonder if there is a command to find which process uses the port that was already in use.
I tried ps -aux | grep netstat -apn | grep 18888 | awk -F '[ /]+' '{print $7}'
but it is no working.
First run netstat and print out pid like you almost did. Then run ps and grep pid, using "word" option to avoid grepping parts of the digits (if pid is 456 you don't want to match 14567)
Put that in a bash script and you're done.
pid=$(netstat -apn | awk -F '[ /]+' '{print $7}')
ps -aux | grep -w $pid

BASH - how can i make the log file accessable via TCP port when-ever requires?

How can i have a logs on TCP port available, so that it can be remotely tested by someone else ? for example:
MAINSERVER> tail -f /etc/httpd/logs/access_log | grep -e fruit_Python -e fruit_BASH -e fruit_C | .... TCP 9999 ... make this available ....??
NOW, from my Laptop remotely i want to do this temporary:
MYLAPTOP> tail -f http://MAINSERVER:9999 | grep -e grab_BASH
Any idea please?
You can use netcat (nc) to do this:
Server side (listen for connection):
tail -f /foo/bar |nc -l -k -p 9999
-l listen
-k listen for another connection after current completed
Client side (connecting):
nc MAINSERVER 9999 | grep whatever_you_like
You can use bash as well to connect to /dev/tcp/host/port but sometimes it's not suported (compiled in to Bash) for security reasons.
Client:
grep whatever_you_like < /dev/tcp/MAINSERVER/9999

tcpdump option to find process initiate communication

I am using the Linux command line and when I run the following command:
tcpdump -n dst host destsitename
tcpdump -n dst host stackoverflow.com
to see if my server as source talk to this domain, how I can find out which process doing the communication from my server as source.
My question is which option should I use in "tcpdump".
Run netstat -avnp and fetch the <pid> (the last column)
Run ps -ef | fgrep <pid> and see what that <pid> belongs to
If you know the port, you can try:
lsof -i :1234
The benefits of using lsof instead of netstat is that the -p is not supported on Unix/OS X.
Use lsof and grep by site name:
$: lsof -i |grep mapscii.me
$: telnet 16678 zersh 3u IPv4 1789302 0t0 TCP 192.168.21.180:43148->mapscii.me:telnet (ESTABLISHED)
or netstat:
$ netstat anlpt |grep mapscii.me
tcp 0 0 192.168.21.180:43168 mapscii.me:telnet ESTABLISHED
Try use next script:
LOCAL_IP="src_ip"
TARGET_IP="..."
while read x; do
port=$( echo $x | grep "IP ${LOCAL_IP}" | awk '{print $3}' | sed "s/${LOCAL_IP}.//" )
if [ ! -z ${port} ]; then
lsof -Pni :${port}
fi
done <<< "$( tcpdump -nn -c1 host ${TARGET_IP} )"
PS. In my case it only worked in the background. Hung in processes for more than 10 hours looking for the source of the problem:
while read x; do port=$(echo $x | grep "IP ${LOCAL_IP}" | awk '{print $3}' | sed "s/${LOCAL_IP}.//"); if [ ! -z ${port} ]; then lsof -Pni :${port}; fi; done <<< "$( tcpdump -nn -c2 host ${TARGET_IP} )" >> /tmp/result &
On linux you can also use the ss command (which replaces the deprecated netstat command):
$ ss -p dst stackoverflow.com
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp ESTAB 0 0 192.168.2.5:50676 151.101.65.69:https users:(("firefox",pid=4657,fd=251))

Resources