5

I can execute netstat -atulpn | grep java to find all Java processes with their accompanying ports, which is great, however I would like to also have the processes full execution arguments also shown. I don't believe that this is possible with netstat from everything I've explored so far and so I was thinking that I would have to write a script to process the output of netstat and then pass the pids into ps and then prettify the output to show the ip+port and full command line.

Is there a better way of doing this or is this about the only option?

ylluminate
  • 1,001
  • 2
  • 15
  • 29

3 Answers3

4

ss -lnptu piped to awk with a call to ps -p. I'm on a mobile device, so it is a little tricky to type out a full example at the moment.

Listening Sockets:

ss -lnptu | awk 'NR>1 { split($7,p,","); printf "Listen: "$5 " Command: "; system("ps --no-headers -o args p "p[2]); }'

All Sockets (will likely require some additional filtering due to sockets without process information in TIME_WAIT, etc):

ss -anptu state listening state established state connected state unconnected | grep -v TIME_WAIT | awk 'NR>1 { split($7,p,","); printf "Listen: "$5 " Command: "; system("ps --no-headers -o args p "p[2]); }'

 

jameshfisher
  • 137
  • 1
  • 7
Mark Sturgill
  • 889
  • 5
  • 9
  • Thanks for heads up Mark, looking forward to a more detailed response! – ylluminate Feb 20 '14 at 03:08
  • @ylluminate I added a quick and dirty example. – Mark Sturgill Feb 20 '14 at 03:29
  • Great, thanks yes. Just FYI on CentOS 6.5 it gave me some funky output regarding the arguments that are being passed in: https://gist.github.com/8a36dbbc3fe9c8371742 – ylluminate Feb 20 '14 at 03:36
  • @ylluminate I tested with Ubuntu 13.04 (ss --version = iproute2-ss130716). Can you give me an example line of output from ss -anptu on your system? – Mark Sturgill Feb 20 '14 at 03:44
  • Sure, here's the raw output: http://j.mp/1dPtubZ (Apologize, I made it on a wide terminal.) – ylluminate Feb 20 '14 at 03:50
  • @ylluminate The issue is that sockets in TIME-WAIT, FIN-WAIT-1, and such do not have process information to display (and the one-liner I posted was not written particularly robustly). If you run ss -lnptu instead of ss -anptu it should work as those records would be omitted. – Mark Sturgill Feb 20 '14 at 03:54
  • Thanks, it certainly can be cleaned up some more, but this worked just fine. I did `2>/dev/null` it to remove a lot of extra warnings/errors coming off and I `grep`'d and `grep -v`'d some of the content out to filter it better. Thanks! – ylluminate Feb 20 '14 at 08:34
  • I get "error: list of process IDs must follow p". – jameshfisher Oct 29 '15 at 16:05
2

I was getting errors from ps on Ubuntu 16.04 when using Mark Sturgill's answer as-is. Needed a slight modification to make it work: basically added an extra split to further isolate the numeric PID from the joined format that ss returns (e.g. pid=1306 -> 1306). I also added the -ww flag to make ps output the full args:

ss -lnptu | awk 'NR>1 { split($7,p,","); split(p[2],pid,"="); printf "Listen: "$5 " Command: "; system("ps --no-headers -ww -o args p "pid[2]); }'
luckman212
  • 153
  • 7
0

@ylluminate, for CentOS change it to ss -lnptu | awk 'NR>1 { split($6,p,","); printf "Listen: "$4 " Command: "; system("ps --no-headers -o args p "p[2]); }'

Denis Yusupov
  • 69
  • 3