I'm trying to get a list of ports that have been occupied by a php service within a defined range.
this seems to work ok..
lsof | grep -E 'php.+55000.+LISTEN'
php 6446 user 11u IPv4 694089 0t0 TCP *:55000 (LISTEN)
But when I make it a range query it doesn't seem to give the correct results
lsof | grep -E 'php.+[55000-55001].+LISTEN'
php 6446 user 11u IPv4 694089 0t0 TCP *:55000 (LISTEN)
php 6446 user 12u IPv4 694090 0t0 TCP *:51000 (LISTEN)
Please help, my regex skills are amateur.
What you looking for is lsof -i option. On the man page it says:
To list all files using any protocol on ports 513, 514, or 515 of host wonderland.cc.purdue.edu, use:
lsof -i #wonderland.cc.purdue.edu:513-515
So for your case you can start with:
lsof -i :55000-55001
And than use all the grep you need to get your answer.
Regards
does this work for you? (port range 55000-60000)
lsof|awk '$2>55000 && $2<60000 && /php/ && /LISTEN/'
Related
I have read article https://tailscale.com/blog/case-of-spiky-file-descriptors/ where author investigates anomalies with the amount of open file descriptors.
He said that made snapshot of open files using lsof which allowed him to track lifetime of file:
01:12:17.24 tailcontr 142810 ubuntu 273u IPv6 5725049 0t0 TCP 172.31.10.244:https->1.2.3.4:57666 (ESTABLISHED)
01:13:32.17 tailcontr 142810 ubuntu 273u IPv6 5725049 0t0 TCP 172.31.10.244:https->1.2.3.4:57666 (CLOSE_WAIT)
01:14:03.22 tailcontr 142810 ubuntu 273u sock 0,8 0t0 5725049 protocol: TCPv6
01:16:53.93 (socket is removed)
What flags should be used to track lifetime of file as given in the example above?
P.S: I want to investigate similar problem with TCPv6 connections. According to lsof -u <user> I have a lot of files looking like:
01:14:03.22 tailcontr 142810 ubuntu 273u sock 0,8 0t0 5725049 protocol: TCPv6
And I want to understand where were these connections made to.
I'm running a server (Ubuntu Server 14.04) which allows the clients to make a ssh tunnel from their device (Raspberry Pi) so they can access their web server from the internet (as a mean to traverse NATs). I can get a list of processes owned by the user (which is the same for all the devices) using ps -u username (this user only runs sshd to forward ports), but I can't filter those processes by the port they're forwarding. So the question is, how can I get the pid of the sshd that is forwarding port #N?
You can make use of lsof command since everything is a file on linux.
Something like lsof -Pan -i | grep :PORT will get you what you ask. It has an output like this when i run it for port 80 on my machine:
Command PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 1104 root 6u IPv4 23348 0t0 TCP *:80 (LISTEN)
nginx 1105 www-data 6u IPv4 23348 0t0 TCP *:80 (LISTEN)
nginx 1106 www-data 6u IPv4 23348 0t0 TCP *:80 (LISTEN)
nginx 1107 www-data 6u IPv4 23348 0t0 TCP *:80 (LISTEN)
nginx 1108 www-data 6u IPv4 23348 0t0 TCP *:80 (LISTEN)
More on lsof can be found here
I have storm running on 2 machines.
Each machine runs nimbus process (fancy for master process) and worker processes.
And I wanted to see the communication between them - what ports are open and how they connect to each other.
$ netstat -tulpn | grep -w 10669
tcp 0 0 :::6700 :::* LISTEN 10669/java
udp 0 0 :::42405 :::* 10669/java
$ lsof -i :6700
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 10669 storm 25u IPv6 57830 0t0 TCP host1:50778->host2:6700 (ESTABLISHED)
java 10669 storm 26u IPv6 57831 0t0 TCP host1:6700->host2:57339 (ESTABLISHED)
java 10669 storm 29u IPv6 57843 0t0 TCP host1:6700->host1:50847 (ESTABLISHED)
java 10669 storm 53u IPv6 57811 0t0 TCP *:6700 (LISTEN)
java 10681 storm 53u IPv6 57841 0t0 TCP host1:50780->host2:6700 (ESTABLISHED)
java 10681 storm 54u IPv6 57842 0t0 TCP host1:50847->host1:6700 (ESTABLISHED)
What I dont understand from the above output is that why netstat does not show port 50778 being open in the process with PID=10669 where as lsof clearly shows that the same process has an established connection as host1:50778->host2:6700
netstat -l limits the results to listening sockets, and prevents the display of sockets in other states.
Try this instead:
netstat -anp | egrep :6700
I accidentally closed the terminal after running this command
mod_wsgi-express start-server
And I can't find the resource on how to stop the server
What is the command?
I had run the mod_wsgi-express script on a virtual environment on port 5000.I had to run the following command to stop it.
/tmp/mod_wsgi-localhost:5000:1002/apachectl stop
The solution
I opened terminal and killed the process via the pid
I opened the terminal and ran the following code to get the pid of the process
lsof -i -f
This is a sample response I got
apache2 20000 ebrahim 3u IPv4 1234565 0t0 TCP *:8000 (LISTEN)
apache2 20001 ebrahim 3u IPv4 1234565 0t0 TCP *:8000 (LISTEN)
apache2 20004 ebrahim 3u IPv4 1234565 0t0 TCP *:8000 (LISTEN)
Then I performed the following command to kill it in the form of sudo kill (pid number) for example
sudo kill 20000
Another way (more proper way) to do this is to go to the to the directory that holds the apachectl file. (the directory changes if you use the --server-root option when using the mod_wsgi-express start server command).
You simply have to run the code below from terminal
/etc/mod_wsgi-express-80/apachectl stop
I was wondering, if the output of
lsof -i
sshd 21880 root 3r IPv4 4843515 TCP somehost.lu.isp.com:ssh->d-XX-XXX.ITS.SOMEWHERE.COM:45037 (ESTABLISHED)
sshd 21882 mike 3u IPv4 4843515 TCP somehost.lu.isp.com:ssh->d-XX-XXX.ITS.SOMEWHERE.COM:45037 (ESTABLISHED)
sshd 23853 root 3u IPv6 960417 TCP *:ssh (LISTEN)
sshd 23853 root 4u IPv4 960419 TCP *:ssh (LISTEN)
sshd 24043 root 3r IPv4 4871654 TCP somehost.lu.isp.com:ssh->XXX.XX.XXX.XXX:42104 (ESTABLISHED)
sshd 24044 sshd 3u IPv4 4871654 TCP somehost.lu.isp.com:ssh->XXX.XX.XXX.XXX:42104 (ESTABLISHED)
Does that imply that somebody has logged in on the system and is currently doing something? or means it's just trying to log in? I'm not quite sure about it.
Any clues? Thanks
According to this
lsof -i only shows you active tcp connections. So it doesn't tell you if there logged in or still attempting to authenticate.
if you want to check to see who's logged in and from where you can run the "who" command.
which will give you a list of the users logged in and where there logged in from (e.g. ssh, tty, etc)
The 'ESTABLISHED' means the TCP connection is established, ie the handshake has been performed on TCP/IP level. This is needed before the ssh process sees any data at all. Theoretically, the connection could be quite long in ESTABLISHED mode without sending any data depending on the timeouts set (on TCP level and/or sshd config). Expect login to occur after it.
To look into it more, use 'iptraf' for monitoring the amount of traffic, or see /var/log/auth.log (at least, on a Debian system) for seeing who succesfully logged on.