Generic Top

The early-bird price of the new Learn Spring Security OAuth course packages will increase by $50 on Wednesday:

>> CHECK OUT THE COURSE

1. Overview

We all know that a port can only be used by a single application or service at the same time. Sometimes we need to know which process is listening on a specific port.

In this tutorial, we'll see different approaches to finding the process listening on a particular port in Linux.

2. root Permission

In Linux, only the root user or the process owner can obtain the detailed information of the process. 

When we want to check a process listening on a particular port, we don't know who the process belongs to.

With root permission, we can gain all the necessary information on the process, for instance, the process identifier.

Therefore, we may need to start our network tools with the root user (or with sudo).

3. Using netstat

The netstat command is a member of the net-tools package.

In the past, it came preinstalled in many Linux distributions. However, the net-tools package hasn't been updated since 2011.

Due to its lack of the support of modern Linux kernel features and other reasons, the net-tools package has become obsolete.

That said, netstat itself is still widely used, so let's take a look at how it can help.

First of all, let's see an example output of the netstat command:

root# netstat -ltnup         
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:17600         0.0.0.0:*               LISTEN      1293/dropbox        
tcp        0      0 127.0.0.1:17603         0.0.0.0:*               LISTEN      1293/dropbox   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      575/sshd  
tcp        0      0 127.0.0.1:9393          0.0.0.0:*               LISTEN      900/perl  
tcp        0      0 :::80                   :::*                    LISTEN      9583/docker-proxy 
tcp        0      0 :::443                  :::*                    LISTEN      9571/docker-proxy
udp        0      0 0.0.0.0:68              0.0.0.0:*                           8822/dhcpcd
...

With the options ltnup, netstat shows us all ports in use in the above example.

Let's have a look at what the options mean:

  • l – show only listening sockets
  • t – show TCP connections
  • n – show addresses in a numerical form
  • u – show UDP connections
  • p – show process id/program name

If we review the above output, the last column is exactly what we're looking for: the PID and Process name listening on a particular port.

We can simply pipe the netstat output to the grep command to get the process information on an individual port.

For example, let's see which process is listening on port 22:

root# netstat -ltnup | grep ':22'
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      575/sshd

4. Using ss

In the previous section, we discussed that the net-tools package is deprecated. 

The ss command is the replacement of the netstat command.

Now let's see how to use the ss command to see which process is listening on port 22:

root# ss -ltnup 'sport = :22'
Netid  State  Recv-Q  Send-Q    Local Address:Port   Peer Address:Port                     
tcp    LISTEN 0       128       0.0.0.0:22           0.0.0.0:*             users:("sshd",pid=575,fd=3))

If we check the options, we find that the options we passed to the ss command are the same as we passed to netstat.

The only difference is that we were making use of the state-filter of the ss utility instead of an extra grep process to filter the output.

Similar to the output of the netstat command, the expected process information lies in the last column, too.

5. Using lsof

The lsof command can list all open files in a Linux system.

We can use the lsof command to find the process using a specific port with the -i :port_number option:

root# lsof -i :22
COMMAND    PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
sshd       575 root    3u  IPv4   19373      0t0  TCP *:ssh (LISTEN)

The first four columns in the above output tell us the process name listening on port 22 and its PID, owner, and the file descriptor.

We can pass multiple -i :port to the lsof command to find out the processes listening on various ports:

root# lsof -i :22 -i :68
COMMAND    PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
sshd       575 root    3u  IPv4   19373      0t0  TCP *:ssh (LISTEN)
dhcpcd    8822 root   10u  IPv4   49601      0t0  UDP *:bootpc

6. Using fuser

The fuser utility displays which processes are using named files, sockets, or file systems. It's included in the psmisc package and preinstalled on many modern Linux distributions by default.

We can use this to view the information of the process running on a specific port. Again let's find out the PID of the processing listening TCP port 22:

root# fuser 22/tcp
22/tcp:                575

The above output is pretty straightforward. We know that the process with PID 575 is listening on TCP port 22.

However, it doesn't tell us detailed information about the process, for example, what's the name of process 575? who owns the process? and so on.

If we want to obtain more details about the process, we can pass the “-v” option to the fuser command to have a verbose output:

root# fuser -v 22/tcp     
                     USER        PID ACCESS COMMAND
22/tcp:              root        575 F.... sshd

Using the fuser command, we can also check the running process information on multiple TCP or UDP ports in one shot:

root# fuser -v 22/tcp 68/udp
                     USER        PID ACCESS COMMAND
22/tcp:              root        575 F.... sshd
68/udp:              root       8822 F.... dhcpcd

7. Conclusion

In this short article, we've learned four different Linux command-line utilities with examples to figure out the information of the process listening on a particular port.

They are all very powerful tools to have in our arsenal on the Linux command line.

Generic bottom

The early-bird price of the new Learn Spring Security OAuth course packages will increase by $50 on Wednesday:

>> CHECK OUT THE COURSE

Leave a Reply

avatar
  Subscribe  
Notify of