Linux: Find Process Listening on Port Using Proc FS

Let’s say you have a socket that is listening on a particular port. How do you find the process that is listening on a port just by using the Linux Proc FS or /proc filesystem?

Before getting your hands dirty, make sure that you have root access to the Linux system.

Find Process Listening on TCP Port

Get the TCP network connections list by running the netstat command.

Now, let’s say that we want to find out the process that is listening on port 80. First, we convert the port number from decimal to hexadecimal. So, port 80 becomes 0x50 (in hexadecimal).

Next, we will need to retrieve information from the proc filesystem. For TCP connections, we will need to analyse the /proc/net/tcp file. We will need to filter for source port 0x0050 (hexadecimal for port 80 and zero padded to 4 digits) and the state must be 0x0A – LISTEN state.

We have got 2 entries. The first entry has the state 0x0A which is in the LISTEN state and the source port is 0x50. The second entry’s source port is 0xED11, destination port is 0x50 and state is 0x08 which is the CLOSE_WAIT state. We are interested in the first entry. From the first entry, we can get the socket inode number – 8516.

Once we have retrieved the socket inode number, we will have to scan through all the processes to determine which process has a open file descriptor that points to a socket with inode number 8516.

Based on the find command, we can see that PIDs (or process IDs) 1044, 17843 and 17844 are listening on port 80. To determine the process names of the PIDs, use the ps command.

We can now conclude that the apache2 process is listening on port 80. The apache2 process with PID 1044 is the correct one as that’s the parent process of the other two processes.

Find Process Listening on UDP Port

The way to determine processes listening on UDP ports is similar to what we have seen for TCP ports. The only difference is the file that we need to work on. For UDP, use the /proc/net/udp file. Let’s go through an example to find the process listening on UDP port 68.

UDP port 68 is 0x44 in hexadecimal.

Socket inode number is 7347.

The process listening on UDP port 68 is called dhclient3.

Find Process Listening on IPv6 TCP or UDP Ports

If the system is running on IPv6, you will need to use the /proc/net/tcp6 file for IPv6 TCP ports and /proc/net/udp6 file for IPv6 UDP ports.

Related: Find Process Listening on Port Using Netstat

ibrahim = { interested_in(unix, linux, android, open_source, reverse_engineering); coding(c, shell, php, python, java, javascript, nodejs, react); plays_on(xbox, ps4); linux_desktop_user(true); }

« Previous Article