We often need information about a process for troubleshooting and general investigation purposes, but it is not always clear where we can begin to find the things we require. This article covers how to obtain detailed process information by using the process's listening port number to obtain the PID, and then looking up the PID in procfs.
We generally know the port number used to connect to any network application of interest. We can acquire the process ID of the application by looking up its port number, and then use the PID to find process details in procfs.
This article assumes you are using a Linux-like shell with procfs available. Most Linux and related operating systems have procfs already implemented - if your OS has a /proc directory you can most likely use this method. Windows systems can obtain procfs under Cygwin. OS X does not come with procfs, although there is a way to add it.
Be aware that if you are not running as an owner of the process, you will not have access to some of this information.
To see all listening ports on the machine, run the following command:
You will see an output similar to this:
The fourth column shows IP address and port a process listens to. Note that we filtered out everything but listening ports. The rightmost column shows the process ID and executable name in the format PID/name.
We can look for a port we use to connect to the application to obtain a process ID and executable name. To find the line for a specific process, run the following command:
There is no /proc file system on Mac OS X, at least by default. You can still find a process listening on a given port using lsof:
The output will look something like this:
Once we have the process ID, we can obtain extra information about the process using the /proc directory. The directory for any process is located at /proc/<PID>. To see what's in the directory of a process, run:
Some potentially relevant files and directories in /proc/<PID> are:
- cmdline - Command line arguments for the process
- environ - Values of environment variables
- fd - Directory containing all file descriptors used by the process
- limits - Displays the soft limit, hard limit, and units of measurement for each of the process's resource limits
You can check the proc man page by running man proc on your machine for more detailed information on the files and directories under /proc.
The contents of these files can be viewed using your favorite Linux file output command, such as cat or less.
We will use the Flow server as an example; you can apply this to any agent or other network process as well. We know that by default the Flow server listens on port 8000, so we run:
We get the following output:
We can see that in this case, 970 is the PID of our application.
Using the previous PID we obtained, we run:
Here is a partial output:
You can use the following command to format the content outputs of cmdline or environ to something more readable. This will split command line parameters and environment variables to present one parameter or variable per line:
To see all files, pipes and sockets opened by the process, which are stored in directory /proc/<PID>/fd, run:
- Product versions: All
- OS versions: Linux