We all know that a port can only be used by a single application or service at the same time. Sometimes we need to know which process is listening on a specific port.
In this tutorial, we’ll see different approaches to finding the process listening on a particular port in Linux.
2. root Permission
In Linux, only the root user or the process owner can obtain the detailed information of the process.
When we want to check a process listening on a particular port, we don’t know who the process belongs to.
With root permission, we can gain all the necessary information on the process, for instance, the process identifier.
Therefore, we may need to start our network tools with the root user (or with sudo).
3. Using netstat
The netstat command is a member of the net-tools package.
In the past, it came preinstalled in many Linux distributions. However, the net-tools package hasn’t been updated since 2011.
Due to its lack of the support of modern Linux kernel features and other reasons, the net-tools package has become obsolete.
That said, netstat itself is still widely used, so let’s take a look at how it can help.
First of all, let’s see an example output of the netstat command:
root# netstat -ltnup Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:17600 0.0.0.0:* LISTEN 1293/dropbox tcp 0 0 127.0.0.1:17603 0.0.0.0:* LISTEN 1293/dropbox tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 575/sshd tcp 0 0 127.0.0.1:9393 0.0.0.0:* LISTEN 900/perl tcp 0 0 :::80 :::* LISTEN 9583/docker-proxy tcp 0 0 :::443 :::* LISTEN 9571/docker-proxy udp 0 0 0.0.0.0:68 0.0.0.0:* 8822/dhcpcd ...
With the options ltnup, netstat shows us all ports in use in the above example.
Let’s have a look at what the options mean:
- l – show only listening sockets
- t – show TCP connections
- n – show addresses in a numerical form
- u – show UDP connections
- p – show process id/program name
If we review the above output, the last column is exactly what we’re looking for: the PID and Process name listening on a particular port.
We can simply pipe the netstat output to the grep command to get the process information on an individual port.
For example, let’s see which process is listening on port 22:
root# netstat -ltnup | grep ':22' tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 575/sshd
4. Using ss
In the previous section, we discussed that the net-tools package is deprecated.
The ss command is the replacement of the netstat command.
Now let’s see how to use the ss command to see which process is listening on port 22:
root# ss -ltnup 'sport = :22' Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:("sshd",pid=575,fd=3))
If we check the options, we find that the options we passed to the ss command are the same as we passed to netstat.
The only difference is that we were making use of the state-filter of the ss utility instead of an extra grep process to filter the output.
Similar to the output of the netstat command, the expected process information lies in the last column, too.
5. Using lsof
The lsof command can list all open files in a Linux system.
We can use the lsof command to find the process using a specific port with the -i :port_number option:
root# lsof -i :22 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 575 root 3u IPv4 19373 0t0 TCP *:ssh (LISTEN)
The first four columns in the above output tell us the process name listening on port 22 and its PID, owner, and the file descriptor.
We can pass multiple -i :port to the lsof command to find out the processes listening on various ports:
root# lsof -i :22 -i :68 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 575 root 3u IPv4 19373 0t0 TCP *:ssh (LISTEN) dhcpcd 8822 root 10u IPv4 49601 0t0 UDP *:bootpc
6. Using fuser
The fuser utility displays which processes are using named files, sockets, or file systems. It’s included in the psmisc package and preinstalled on many modern Linux distributions by default.
We can use this to view the information of the process running on a specific port. Again let’s find out the PID of the processing listening TCP port 22:
root# fuser 22/tcp 22/tcp: 575
The above output is pretty straightforward. We know that the process with PID 575 is listening on TCP port 22.
However, it doesn’t tell us detailed information about the process, for example, what’s the name of process 575? who owns the process? and so on.
If we want to obtain more details about the process, we can pass the “-v” option to the fuser command to have a verbose output:
root# fuser -v 22/tcp USER PID ACCESS COMMAND 22/tcp: root 575 F.... sshd
Using the fuser command, we can also check the running process information on multiple TCP or UDP ports in one shot:
root# fuser -v 22/tcp 68/udp USER PID ACCESS COMMAND 22/tcp: root 575 F.... sshd 68/udp: root 8822 F.... dhcpcd
In this short article, we’ve learned four different Linux command-line utilities with examples to figure out the information of the process listening on a particular port.
They are all very powerful tools to have in our arsenal on the Linux command line.