[Linux] Looks for processes that listen on specified ports

Look for the process of listening on the specified port, for the system administrator, is an eternal topic. Historically, Linux distribution can use a third party lsof.

ddos@ubuntu:~$ sudo netstat -na -p tcp | grep LISTEN

tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 1312/dnsmasq
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 849/cupsd
tcp6 0 0 :::80 :::* LISTEN 3906/apache2
tcp6 0 0 ::1:631 :::* LISTEN 849/cupsd
unix 2 [ ACC ] STREAM LISTENING 27711 2302/gnome-session- @/tmp/.ICE-unix/2302
unix 2 [ ACC ] STREAM LISTENING 25345 2065/gnome-keyring- /run/user/1000/keyring/ssh
unix 2 [ ACC ] STREAM LISTENING 24839 1643/dockerd /run/docker/libnetwork/ca7c82c70397ece4d65dc3d11e84bd9bb4074a00dc47d8986fc0936c7fc6424c.sock
unix 2 [ ACC ] STREAM LISTENING 26129 2402/pulseaudio /run/user/1000/pulse/native
unix 2 [ ACC ] STREAM LISTENING 17693 1/init /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 17696 1/init /run/snapd.socket
unix 2 [ ACC ] STREAM LISTENING 20195 1082/Xorg @/tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 17698 1/init /run/snapd-snap.socket
unix 2 [ ACC ] STREAM LISTENING 17700 1/init /var/run/docker.sock
unix 2 [ ACC ] STREAM LISTENING 23846 1643/dockerd /var/run/docker/metrics.sock
unix 2 [ ACC ] STREAM LISTENING 17702 1/init /var/run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 20196 1082/Xorg /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 17705 1/init /var/run/cups/cups.sock
unix 2 [ ACC ] STREAM LISTENING 17708 1/init /run/uuidd/request
unix 2 [ ACC ] STREAM LISTENING 17711 1/init /run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 25889 2258/dbus-daemon @/tmp/dbus-A9cGjgEig1
unix 2 [ ACC ] STREAM LISTENING 25409 2217/ibus-daemon @/tmp/ibus/dbus-rlJqRPCj
unix 2 [ ACC ] STREAM LISTENING 25922 2276/gpg-agent /home/ddos/.gnupg/S.gpg-agent
unix 2 [ ACC ] STREAM LISTENING 22385 1673/docker-contain /var/run/docker/libcontainerd/docker-containerd.sock
unix 2 [ ACC ] STREAM LISTENING 25207 2059/systemd /run/user/1000/systemd/private
unix 2 [ ACC ] STREAM LISTENING 27712 2302/gnome-session- /tmp/.ICE-unix/2302
unix 2 [ ACC ] STREAM LISTENING 899 1/init /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 25220 2065/gnome-keyring- /run/user/1000/keyring/control
unix 2 [ ACC ] STREAM LISTENING 909 1/init /run/systemd/journal/stdout
unix 2 [ ACC ] SEQPACKET LISTENING 922 1/init /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 25303 2155/dbus-daemon @/tmp/dbus-BkkYQfGN8Y
unix 2 [ ACC ] STREAM LISTENING 21158 898/NetworkManager /var/run/NetworkManager/private-dhcp
unix 2 [ ACC ] STREAM LISTENING 25259 2067/upstart @/com/ubuntu/upstart-session/1000/2067
unix 2 [ ACC ] STREAM LISTENING 980 1/init /run/systemd/fsck.progress
unix 2 [ ACC ] STREAM LISTENING 25342 2065/gnome-keyring- /run/user/1000/keyring/pkcs11

Now, you want to know which is listening on “tcp6 0 0 :::80 :::* LISTEN 3906/apache2 ”

sudo lsof -ni tcp:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
apache2 3906 root 4u IPv6 33083 0t0 TCP *:http (LISTEN)
apache2 3909 www-data 4u IPv6 33083 0t0 TCP *:http (LISTEN)
apache2 3910 www-data 4u IPv6 33083 0t0 TCP *:http (LISTEN)

sudo ps -opid,ppid,uid,addr,fname,comm,args -p 3906
PID PPID UID ADDR COMMAND COMMAND COMMAND
3906 1 0 – apache2 apache2 /usr/sbin/apache2 -k start

sudo lsof -n -p 3906| grep TCP
apache2 3906 root 3u sock 0,8 0t0 33082 protocol: TCP
apache2 3906 root 4u IPv6 33083 0t0 TCP *:http (LISTEN)

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.