KBEC-00299 - How to obtain process details from a port number

Summary

We often need information about a process for troubleshooting and general investigation purposes, but it is not always clear where we can begin to find the things we require. This article covers how to obtain detailed process information by using the process's listening port number to obtain the PID, and then looking up the PID in procfs.

Solution

We generally know the port number used to connect to any network application of interest. We can acquire the process ID of the application by looking up its port number, and then use the PID to find process details in procfs. 

This article assumes you are using a Linux-like shell with procfs available. Most Linux and related operating systems have procfs already implemented - if your OS has a /proc directory you can most likely use this method. Windows systems can obtain procfs under Cygwin. OS X does not come with procfs, although there is a way to add it.

Acquiring the PID via port number

Be aware that if you are not running as an owner of the process, you will not have access to some of this information.

To see all listening ports on the machine, run the following command:

netstat -anp | grep -i listen | grep -iv unix

You will see an output similar to this:

...
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:34799         0.0.0.0:*               LISTEN      1455/ecmdrAgent
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
...

The fourth column shows IP address and port a process listens to. Note that we filtered out everything but listening ports. The rightmost column shows the process ID and executable name in the format PID/name.

We can look for a port we use to connect to the application to obtain a process ID and executable name. To find the line for a specific process, run the following command:

netstat -anp | grep -i listen | grep -iv unix | grep <portNumber>
Mac

There is no /proc file system on Mac OS X, at least by default. You can still find a process listening on a given port using lsof:

sudo lsof -i :<portNumber>

The output will look something like this:

COMMAND   PID     USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
Python  49584 otsvinev    3u  IPv4 0xe673a3039aad2c19      0t0  TCP *:8666 (LISTEN)

Obtaining information from the /proc directory

Once we have the process ID, we can obtain extra information about the process using the /proc directory. The directory for any process is located at /proc/<PID>. To see what's in the directory of a process, run:

ls -lah /proc/<PID>

Some potentially relevant files and directories in /proc/<PID> are:

  • cmdline  -   Command line arguments for the process
  • environ  -   Values of environment variables
  • fd  -   Directory containing all file descriptors used by the process
  • limits  -  Displays the soft limit, hard limit, and units of measurement for each of the process's resource limits

You can check the proc man page by running man proc on your machine for more detailed information on the files and directories under /proc.

The contents of these files can be viewed using your favorite Linux file output command, such as cat or less.

Examples

Obtaining PID

We will use the Flow server as an example; you can apply this to any agent or other network process as well. We know that by default the Flow server listens on port 8000, so we run:

netstat -anp | grep -i listen | grep -iv unix | grep 8000

We get the following output:

tcp6       0      0 :::8000                 :::*                    LISTEN      970/java

We can see that in this case, 970 is the PID of our application.

Viewing /proc files

Using the previous PID we obtained, we run:

ls -lah /proc/970

Here is a partial output:

...
dr-xr-xr-x   2 vagrant vagrant 0 Feb 17 18:04 attr
-rw-r--r--   1 vagrant vagrant 0 Feb 17 18:04 autogroup
-r--------   1 vagrant vagrant 0 Feb 17 18:04 auxv
-r--r--r--   1 vagrant vagrant 0 Feb 17 18:04 cgroup
--w-------   1 vagrant vagrant 0 Feb 17 18:04 clear_refs
-r--r--r--   1 vagrant vagrant 0 Feb 17 17:36 cmdline
...

You can use the following command to format the content outputs of cmdline or environ to something more readable. This will split command line parameters and environment variables to present one parameter or variable per line:

cat /proc/<PID>/<cmdline or environ> | sed -e s/\\x00/\\n/g

or

xargs --null --max-args=1 echo < /proc/<PID>/<cmdline or environ>

To see all files, pipes and sockets opened by the process, which are stored in directory /proc/<PID>/fd, run:

ls -la /proc/<PID>/fd

Applies to

  • Product versions: All
  • OS versions: Linux
Have more questions? Submit a request

Comments

Powered by Zendesk