How can you find out which process is listening upon which port on Windows and Linux?
Are there some Applications explicitly monitoring?
Some great tools for this are made by Sysinternals, now owned by Microsoft.
The one you want is Tcpview and it will show you the ports and which application has them opened, as well as the PID and other nice things. Tcpview is windows based but they have a command line version as well. All these tools are free.
This is the link Microsoft's sysinternals downloads
Both Windows and Linux has the netstat-command built-in, although they are used differently.
On Windows: netstat -a -b (lists both listening and connected ports)
On Linux: netstat -l -p (lists only listening ports)
On windows 7, you can use
netstat -b -a
netstat /?
-b Displays the executable involved in creating each connection or
listening port. In some cases well-known executables host
multiple independent components, and in these cases the
sequence of components involved in creating the connection
or listening port is displayed. In this case the executable
name is in [] at the bottom, on top is the component it called,
and so forth until TCP/IP was reached. Note that this option
can be time-consuming and will fail unless you have sufficient
permissions.
-o Displays the owning process ID associated with each connection.
On Linux use, -p needs root privileges.
#netstat -p
#netstat -h
-p, --programs display PID/Program name for sockets
Not sure that stackoverflow is the right place for this question, maybe http://www.superuser.com would be a better choice.
Although from the top of my head:
Linux has lsof and netstat commands that will provide this information.
Windows has ProcessExplorer that should give this information.
In Linux you can use the ss command to dump the socket information. It gives information about active port numbers in the client side also. More details can be found here
http://linux.die.net/man/8/ss
Related
I encounted a problem today:
When I started HDP docker container, an error occured:
listen tcp 0.0.0.0:8086: bind: address already in use
According to error message, I know that port 8086 was already in use, so I tried some commands to determine which program was using port 8086.
lsof -i:8086
lsof -i tcp:8086
lsof | grep 8086
But all of commands above make no outputs!
I felt really confused about that, after some searching on google, I tried another command:
netstat -pna | grep 8086
I got correct output from this command.
I know some differences between lsof and netstat, but I really do not know why I cannot get any output from lsof -i:8086?.
Here are some differences between two commands I searched from google:
netstat(net statistic) is connection based,it shows NW connections (udp/tcp ports), routing tables, interface, multi-cast membership, etc.
lsof(list of open files) is application based, this is kind of like netstat + ps, there you can see all accessed ports, NW connections, etc.
but lsof includes stuff like my local emacs window terminal session (tty dev/pts/n) which is not part of netstat
I faced a similar issue today. The solution was to run the lsof command with sudo privileges.
sudo lsof -i:8086
should print the desired output.
LSOF: List of Open Files. It lists all the open files belonging to all active processes.
Examples:
sudo lsof -n -i
sudo lsof -n -i4
sudo lsof -n -i :80
-n inhibits the conversion of network numbers to host names for network files. Inhibiting conversion may make lsof run faster. It is also useful when host
lookup is not working properly
-i selects the listing of files any of whose Internet address matches the address specified in i. If no address is specified, this option selects the listing of all Internet and x.25 (HP-UX) network files. If -i4 or -i6 is specified with no following address, only files of the indicated IP version, IPv4 or IPv6, are displayed.
NETSTAT: It is a tool to get the network statistics. By default, netstat displays a list of open sockets. If you don't specify any
address families, then the active sockets of all configured address
families will be printed.
Displays the kernel routing tables:
netstat -r
Display all listening and established connection for both TCP and UDP with PID data:
netstat -plunt
Additionally, You have another command line tool to use which is SS.
SS: It is used to dump socket statistics. It allows showing information similar to netstat. It can display more TCP and state
information than other tools.
-plunt gives data for the TCP and UDP connections which are established and listening with process information:
sudo ss -plunt
You should be root to get proper answers to your lsof questions. Your command is fine, assuming something really is listening on that port.
As you already mentioned, lsof is a very useful command which is used to list files opened by a specific process, while netstat is a tool for monitoring network connections.
You should be able to find the PID of the process listening on port 8086 with netstat:
netstat -tunlp |grep :8086
and then use lsof to list the files used by the process:
lsof -p PID
Is there an auditing tool to check which and when ports are opened and closed on Linux?
My goal is to run my application and check its ports usage.
lsof or netstat don't fit because they just tell me which ports are currently opened, and looping on such command won't give me accurate results...
strace -f -e trace=bind mvn install
strace will displays the bind sytem call each time my application an the children processes open a port.
I'm searching for a way to listen to a specific port on a specific ip and just dump all incoming data.
It has to work on linux, perferrably something that comes as debian package but if i have to compile it thats fine to.
Would be nice if the data gets stored in a mysql database, but just a file would be ok to.
Thanks!
use command
nc -l hostname 10000 > op.txt
netcat, often packaged as nc, is a great tool for such tasks.
You can always use Nmap (more advanced).
It is an utility for network exploration or security auditing...
Link: http://nmap.org/
Another tool you can use is ngrep / very similar to tcpdump but you can tell it to only listen for packets containing a certain string.
You can specify a port and source and destination IP as well
Yet another tool is tcpdump and its descendants:
sudo tshark -w /tmp/out.pcap -s 2000 -i eth0 ip host 198.51.100.99 and tcp port 80
Thanks for all your suggestions but i had to go another way...
There is a Debian Package called 'ucspi-tcp' which contains 'tcpserver'
tcpserver just listens on a port and pipes everything into a process you specify.
In my case i wrote a little script that stores the data in a mysql Database.
I'm trying to use fuser to find the pids of processes I own which have certain TCP ports open.
In the fuser man page it says:
... The most common time this problem occurs is when looking for TCP or UDP sockets when running fuser as a non-root user. In this case fuser will report no access. ...
However, on my Ubuntu box, fuser does report sockets open for processes that I own, e.g.:
perl -MIO::Socket 'IO::Socket::INET->new(Listen => 10, LocalPort => 3000)' &
fuser -n tcp 3000
Question: how are things set up to allow this to happen? Is it a kernel config option?
Thanks!
Note: the question is: how are some linux distros configured so that fuser will report processes owning sockets when fuser is run as a normal user? One one Ubuntu distro "fuser -n tcp 3000" will report a process if I own the process, yet on another linux distro (I think Centos) it won't report the process even if I own it.
fuser goes through the /proc file system (proc(5)) working through the /proc/[pid]/fd/ directory and checking the file descriptors. Processes owned by you have corresponding /proc entries again owned by you. This allows you to check your processes, but not others.
One very useful tool to see what given program is doing is strace(1). For example, you can see what system calls, and with what arguments, are done by the fuser:
~$ strace fuser -n tcp 3000
I am running CentOS 5 with csf firewall. I'm running a program that can't connect to another server (using some port that is blocked by csf I presume). Where is the log file for 'ports'?
Netstat is the command to use to get ports and network activity. To diagonise server processes I usually use:
netstat -tln
This yields port numbers in tcp mode listening. To identify associated processes you can also use -p to grab the pid. Here is the IANA ports list.
I found my answer right after searching a few more threads.
# tail -f /var/log/messages
Shows the UDP message but not the port.... Hmm....