How to: Piece together Port and PID using Netstat, In Linux

Linux and networking go hand in hand, whether running on the fancy desktop or noisy server. Regardless of which packages you choose to install, chances are, that they require networking for some functionality. A desktop may have some dns-cache, filtering proxy, anonymous socks or ssh-tunnel listening in the background. The server equally busy with its web, email, ftp, or nfs awaiting its clients. But when expected bandwidth is missing or something decides to communicate outside the expected standard, it can be difficult to guess which one of these ghosts and daemons is responsible.

Its good administrative practice to be aware of which protocols that are communicating over the wire, and who/what is allowed to do so. If open connections are not checked periodically, perhaps automatically. The system may have been subject to intrusion or be part of a massive botnet, where the activity goes unnoticed. Your system, Your sockets.

Netstat casts some light on the situation. Using the right switches, this utility can provide a detailed real-time overview of active connections. Among other things. One particular set of switches I find useful, found at cyberciti.biz (http://www.cyberciti.biz/faq/what-process-has-open-linux-port/) is as follows:

~$ netstat -tulpna (as root)

This nifty little line compress several features of netstat, and outputs almost everything you need to know.
Such as:

• -t List TCP sockets
• -u List UDP sockets
• -l Display listening sockets
• -p Display process ID related to socket
• -n Skip domain name
• -a Display all connected sockets

Sample Output (from cyberciti.biz)

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1138/mysqld
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      850/portmap
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1607/apache2
tcp        0      0 0.0.0.0:55091           0.0.0.0:*               LISTEN      910/rpc.statd
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      1467/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      992/sshd
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1565/cupsd
tcp        0      0 0.0.0.0:7000            0.0.0.0:*               LISTEN      3813/transmission
tcp6       0      0 :::22                   :::*                    LISTEN      992/sshd
tcp6       0      0 ::1:631                 :::*                    LISTEN      1565/cupsd
tcp6       0      0 :::7000                 :::*                    LISTEN      3813/transmission
udp        0      0 0.0.0.0:111             0.0.0.0:*                           850/portmap
udp        0      0 0.0.0.0:662             0.0.0.0:*                           910/rpc.statd
udp        0      0 192.168.122.1:53        0.0.0.0:*                           1467/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           1467/dnsmasq
udp        0      0 0.0.0.0:68              0.0.0.0:*                           3697/dhclient
udp        0      0 0.0.0.0:7000            0.0.0.0:*                           3813/transmission
udp        0      0 0.0.0.0:54746           0.0.0.0:*                           910/rpc.statd

If you use netstat with the “-tulpna” switch regularly, put it in an bash alias. For example:
~$ alias tulpna=’netstat -tulpna’
Put it in .bashrc or .bash_aliases to make it permanent.

Happy hunting!

Related articles

• Linux System Monitoring Tools Every SysAdmin Should Know
• Disable firewall on Redhat
• ss – anothre utility to investigate sockets.