Archived - K2375: Using the netstat command to identify

which ports a process uses

https://my.f5.com/manage/s/article/K2375
Published Date: Feb 17, 2006 UTC Updated Date: Feb 21, 2023 UTC

This article has been archived and is no longer maintained.

Topic
You can use the netstat command to view programs that are running on specific ports though the following
methods:

Identify the port protocol control block and the corresponding process.
Identify the PID of the process's connection.

Identifying the port control block and the corresponding process

To determine which program is listening on a specified port, perform the following steps:

1. Find the kernel address of the protocol control blocks associated with each connection, by using the
netstat command with the -A option.

For example, to view the control blocks that are used for programs listening on the loopback address
127.0.0.1, you would type the following command:

netstat -nA | grep 127\.0\.0\.1 | grep LISTEN

The output would appear similar to the following:

a28e8600 tcp 0 0 127.0.0.1.389 *.* LISTEN

a28e8a00 tcp 0 0 127.0.0.100.53 *.* LISTEN
a20bce00 tcp 0 0 127.0.0.1.9001 *.* LISTEN
a20bcc00 tcp 0 0 127.0.0.1.2121 *.* LISTEN
a3c8a600 tcp 0 0 127.0.0.1.8007 *.* LISTEN
a3c8a800 tcp 0 0 127.0.0.1.8053 *.* LISTEN
a3c8aa00 tcp 0 0 127.0.0.1.8054 *.* LISTEN
a236d400 tcp 0 0 127.0.0.1.53 *.* LISTEN

The first column of the output contains the protocol control block identifier.

2. Find the process that owns that protocol control block, by using the fstat command and filtering for
specified protocol control block identifier.

For example:

fstat | grep a28e8600

 The output would appear similar to the following:

root slapd 25200 2* internet stream tcp a28e8600

In this example, slapd, the OpenLDAP daemon, is the process is listening on 127.0.0.1 port 389 tcp.

Identifying the PID

A more advanced technique to view programs listening on specified ports is to use the netstat command to
find the PID for the specific instance of a process that has a connection. This becomes necessary when
several processes are all listening on the same local port.

For example:

netstat -n | grep 192\.0\.2\.203\.22

The output would appear similar to the following:

tcp 0 0 192.0.2.203.22 192.0.2.210.33548 ESTABLISHED

tcp 0 0 192.0.2.203.22 192.0.2.209.14392 ESTABLISHED
tcp 0 48 192.0.2.203.22 192.0.2.39.1447 ESTABLISHED

In this example, there are several SSH connections to this system. Each connection is connected to the same
local port, port 22 TCP

To view the instances of sshd that are running, type the following command:

ps -ax |grep sshd

The output would appear similar to the following, where PID 15217 is the root process and the rest are the
child processes.

9332 15217 0 0 ?? 28 0 R 0.0 0.3 816 (sshd)

9394 15217 0 0 ?? 2 0 I 0.0 0.3 792 (sshd)
9411 15217 0 0 ?? 2 0 I 0.0 0.3 792 (sshd)
15217 1 0 0 ?? 2 0 Is 0.0 0.1 352 /usr/sbin/sshd

To view which processes are responsible for the connection between 192.0.2.203 port 22 and 192.0.2.39
port 1447 first identify the control block structure, by typing the following command:

netstat -nA | grep 192\.0\.2\.203 | grep 192\.0\.2\.39

The output would appear similar to the following:

a236da00 tcp 0 48 192.0.2.203.22 192.0.2.39.1447 ESTABLISHED

You can use this to trace the block back to the PID, by typing the following command:

fstat | grep a236da00

The ouput would appear similar to the following:

root sshd 9332 4* internet stream tcp a236da00

This indicates that PID 9332 is the connection between 192.0.2.203 port 22 and 192.0.2.39 port 1447.

Note: If this example had contained multiple connections between 192.0.2.203 and 192.0.2.39, the example
grep filter would have also had to contain the port number in addition to the address.