LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   How to get responding processes of those ports? (http://www.linuxquestions.org/questions/linux-server-73/how-to-get-responding-processes-of-those-ports-551873/)

zkjian 05-07-2007 02:13 AM

How to get responding processes of those ports?
 
can anyone tell me how to get the processes which opened the following ports and the files opened by these processes?

------------------------------------------------------------
[root@rac1 ~]# netstat -lnp | grep - | grep :
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:32861 0.0.0.0:* LISTEN -
udp 0 0 0.0.0.0:2049 0.0.0.0:* -
udp 0 0 0.0.0.0:6199 0.0.0.0:*
-----------------------------------------------------------

lsof -i | egrep '2049|32861:6199' give me nothing.

thanks

bathory 05-07-2007 02:38 AM

You can use:
Code:

netstat -tunapl|grep LISTEN
as well as
Code:

lsof|grep LISTEN

zkjian 05-07-2007 05:51 AM

thank you for your kind help, but still no display.

bathory 05-07-2007 08:18 AM

That's strange. What distro are you using? What is the output of:
Code:

lsof -i -n -P

zkjian 05-07-2007 11:51 PM

RHEL4

[root@lb1 ~]# netstat -lnp | grep : | grep -
tcp 0 0 0.0.0.0:32800 0.0.0.0:* LISTEN -
udp 0 0 0.0.0.0:32770 0.0.0.0:* -
[root@lb1 ~]# lsof -i -n -P | grep 32800
[root@lb1 ~]# lsof -i -n -P | grep 32770
[root@lb1 ~]# netstat -tunapl | grep LISTEN | grep 32
tcp 0 0 0.0.0.0:32800 0.0.0.0:* LISTEN -
[root@lb1 ~]# netstat -tunapl | grep 32800
tcp 0 0 0.0.0.0:32800 0.0.0.0:* LISTEN -
[root@lb1 ~]# netstat -tunapl | grep 32770
udp 0 0 0.0.0.0:32770 0.0.0.0:* -
[root@lb1 ~]# lsof | grep LISTEN | grep 32800

bathory 05-08-2007 02:21 AM

It's indeed strange. Here is the output of the same commands in my Slackware box running squid:
Code:

netstat -tunapl | grep 32768
udp        0      0 0.0.0.0:32768          0.0.0.0:*                          1300/(squid)

lsof -i -n -P|grep 32768
squid      1300  squid    5u  IPv4  2353      UDP *:32768

If you suspect something use a live CD to scan your system for rootkits.

zkjian 05-08-2007 03:21 AM

not all service will hide his process name/PID,
just some special ones will do that, please see the following
example:

[root@lb1 ~]# /etc/init.d/nfs start
启动 NFS 服务:
[ 确定 ]
关掉 NFS 配额:[ 确定 ]
启动 NFS 守护进程:[ 确定 ]
启动 NFS mountd:[ 确定 ]
[root@lb1 ~]#
[root@lb1 ~]# netstat -lnp | grep : | grep -
tcp 0 0 0.0.0.0:32800 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
udp 0 0 0.0.0.0:2049 0.0.0.0:* -
udp 0 0 0.0.0.0:32770 0.0.0.0:* -
[root@lb1 ~]#
[root@lb1 ~]# lsof | grep 2049
[root@lb1 ~]#
[root@lb1 ~]# /etc/init.d/nfs stop
关闭 NFS mountd:[ 确定 ]
关闭 NFS 守护进程:[ 确定 ]
关闭 NFS quotas:[ 确定 ]
关闭 NFS 服务: [ 确定 ]
[root@lb1 ~]# netstat -lnp | grep : | grep -
tcp 0 0 0.0.0.0:32800 0.0.0.0:* LISTEN -
udp 0 0 0.0.0.0:32770 0.0.0.0:* -
[root@lb1 ~]#

i know it's certain service related to nfs which opened the port 2049,but i can't get which one(the process/PID) opened the port on
earth.
one of my partners told me it's the kernel which opens those ports
whose process name/PID are identified by -, such as nfs.
what do you think about his words?

bathory 05-08-2007 04:49 AM

You're right that nfsd is using those ports. Running
Code:

rpcinfo -p
will verify that these ports are used by nfsd.
Quote:

one of my partners told me it's the kernel which opens those ports
whose process name/PID are identified by -, such as nfs.
what do you think about his words?
You can say this, since nfs support is built in the kernel.


All times are GMT -5. The time now is 03:26 AM.