How to Identify Port to a Process?

Question

I'm running a RedHat 5.5 and I was wondering how I can identify a port to a process.

This is the output of netstat and I'm trying to find the process associated with port 35670:

$ netstat -tulnp
tcp        0      0 0.0.0.0:35670               0.0.0.0:*                   LISTEN      -

I tried the following to get the associated process to this port, but to no avail:

$ lsof -nl | grep TCP
$ fuser 35670/tcp

This finally worked for me.

$ rpcinfo -p
100021    3   tcp  35670  nlockmgr

Without doing the command above, how would you have detected that port 35670 is associated with nlockmgr.

The weird thing is nlockmgr does not show up when I do this:

$ ps aux

Of course there is one possibility why a process would not show up with the standard tools, but still be present. If your system has a rootkit, then processes could be running that would occasional appear to be invisible, and the standard tools may display unusual results. — Zoredache, Nov 30 '11 at 21:35
I thought of rootkit as well, but rpcinfo -p gave me the process name associated with it. So, I removed the idea that it could be a rootkit. — Carmen, Nov 30 '11 at 21:52

mailq · Answer 1 · 2011-11-30T21:41:10.853

7

You have to execute netstat -tulnp as root. Otherwise you get the - instead of the process name.

This is what the manpage says:

PID/Program name
   Slash-separated pair of the process id (PID) and process name of the process that owns the socket.  --program causes  this  column
   to  be  included.   You will also need superuser privileges to see this information on sockets you don't own.  This identification
   information is not yet available for IPX sockets.

With one exception: portmapper See this

edited Nov 30 '11 at 21:41

answered Nov 30 '11 at 21:24

mailq

16,882
2
36
66

I did execute all of the commands as root. – Carmen Nov 30 '11 at 21:28
After googling around, nlockmgr uses IPX socket which is why netstat could not identify the process. Thanks. But if netstat cannot detect process associated with IPx, what program can do it? – Carmen Nov 30 '11 at 21:41
1

carmen, your example shows $, which is not root. – Sirex Dec 01 '11 at 13:28

score 2 · Accepted Answer · edited Apr 13 '17 at 12:14

2

You can use nmap with -sV option to determine service info:

# nmap -sV -p 35670 localhost

Why is rpc.lockd obscured from netstat/lsof output?

edited Apr 13 '17 at 12:14

Community

1

answered Dec 01 '11 at 03:24

quanta

50,327
19
152
213

score 0 · Answer 3 · answered Sep 12 '19 at 18:13

Instead of netstat you can use ss:

[mvutcovi@mvutcovi-lap ~]$ sudo ss -tulnp
Netid    State     Recv-Q    Send-Q         Local Address:Port          Peer Address:Port                                                
udp      UNCONN    0         0              192.168.122.1:53                 0.0.0.0:*        users:(("dnsmasq",pid=1698,fd=5))          
udp      UNCONN    0         0             0.0.0.0%virbr0:67                 0.0.0.0:*        users:(("dnsmasq",pid=1698,fd=3))          
udp      UNCONN    0         0                    0.0.0.0:68                 0.0.0.0:*        users:(("dhclient",pid=1980,fd=7))

How to Identify Port to a Process?

3 Answers3