Craig McPherson
01-13-2001, 07:16 PM
I often hear people asking "port xyz is open on my machine, why?" This describes how to find out.
First, you'll need the "lsof" (LiSt Open Files) utility. For some reason, most Linux distros don't install this program by default, although it's an incredibly popular and useful program. Esteemed and high-class individuals such as "Cult of the Dead Cow" have called it "the most useful Linux utility." So it's good to familiarize yourself with it, because you can do a lot of cool things with it.
Under Debian, you can just do "apt-get install lsof-2.2". Linux kernel 2.2 changed certain things that required a new version of lsof to be written, but "lsof-2.2" should work with any kernel 2.2 or higher (it works with 2.4, at least). If for some reason you're still running 2.0, do "apt-get install lsof-2.0.36" instead. For Red Hat users, there's an RPM available. Slackware kids might have to scour the Internet looking for source and hope it compiles -- you have my condolences.
Anyway, now you have lsof installed. Go ahead and run it without any arguments and watch the spam -- it's listing every open file on your system. Well, that's not very useful. We want to use the -i flag to find out what proccess is bound to a particular port.
The -i flag can take several forms of arguments. If you just want to search for a port number, you can use a numeric argument like ":80", or a service name (defined in /etc/services) like ":http". You can also specific protocol, like "TCP:http" for TCP port 80 or "UDP:80" for UDP port 80. If your machine has multiple IP addresses, you can, for example, search only for TCP port 80 on interface 192.168.1.1 with the "TCP@192.168.1.1:80" argument.
Anyway, let's try this out for real.
On one of my systems, I do this:
lsof -i :80
And get this:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
apache 24500 root 19u IPv4 141701 TCP *:http (LISTEN)
The first item is the name of the program that has the port open. The second item is the process ID. The next is the user that's running that process (oh heck -- I'm running Apache as root again? I thought I fixed that... grumble...)
The "19u" I'm not sure about. The "IPv4" indicates that it's using the IPv4 protocol. Device I'm also not sure about. Size is blank, and the rest shows the port it's captured, and the state it's in. ("LISTEN" mean it's waiting to receive a connection)
Now, let's say you want to find out more about that process. You have the Process ID, so you can do that like this:
ps aux | grep 24500
I get this:
root 24500 0.0 1.2 2968 1556 ? S Jan11 0:00 /usr/sbin/apache
So now I know the full path of the program that started the process that bound the port, I know how long it's been running (since Jan11), and several other things like how much memory it's using.
Let's say I see a "mystery port" open on my machine, for example, TCP:548.
lsof -i TCP:548
I get:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
afpd 266 root 0u IPv4 711 TCP *:548 (LISTEN)
Hmm... I need more information.
ps aux | grep 266
I get:
root 266 0.0 0.3 2368 492 ? S Jan01 0:00 /usr/sbin/afpd -n myhostname
Whatever it is, I now know what program it is, when it was started (Jan01, which is the last time I rebooted).
Now, what the heck is /usr/sbin/afpd?
So then I can do this:
whatis afpd
Or this if I wanted to see the full man page:
man afpd
Or this, if I wanted to search the entire man page collection for the term:
apropos afpd
Or I could even do a Google search if I was still stuck:
lynx http://www.google.com/search?q=afpd
Anyway, I don't have to go that far.
I do this:
whatis afpd
And get:
afpd (8) - AppleTalk Filing Protocol daemon
Ah, yes, now I remember. I know what it is, I remember where it came from, and now I know how to get rid of it. Leet. (It came from a Debian package that downloads Microsoft's truetype fonts from Microsoft's website -- but they're only available in a Macintosh compression format, so the package had to install some Apple filehandling tools in order to unpack them).
Anyway... next time you have a mystery port open, remember this. It's extremely useful.
Any questions?
[i](As an aside, I have a word of caution to nmap users. A lot of people seem to think that by default, nmap scans every port on your machine. It does not. It only scans ports that have a service associated with them in /etc/services. To do a FULL scan of your machine, you need to do this:
nmap -sT -sU -O -p 1-65535 TARGET
This will take a very very very long time, especially over an Internet connection ((you can scan your own system this way, but what you need to know is what your computer looks like from the Internet, so that's of little use)), but it's the only way to scan every port on the machine and get the full picture.
I hope you find this information helpful!)
------------------
http://users.ipa.net/~cmcpher/paminv.gif DEBIAN (http://www.debian.org/) http://users.ipa.net/~cmcpher/paminv.gif
It turns girls into statues!
[This message has been edited by Craig McPherson (edited 13 January 2001).]
First, you'll need the "lsof" (LiSt Open Files) utility. For some reason, most Linux distros don't install this program by default, although it's an incredibly popular and useful program. Esteemed and high-class individuals such as "Cult of the Dead Cow" have called it "the most useful Linux utility." So it's good to familiarize yourself with it, because you can do a lot of cool things with it.
Under Debian, you can just do "apt-get install lsof-2.2". Linux kernel 2.2 changed certain things that required a new version of lsof to be written, but "lsof-2.2" should work with any kernel 2.2 or higher (it works with 2.4, at least). If for some reason you're still running 2.0, do "apt-get install lsof-2.0.36" instead. For Red Hat users, there's an RPM available. Slackware kids might have to scour the Internet looking for source and hope it compiles -- you have my condolences.
Anyway, now you have lsof installed. Go ahead and run it without any arguments and watch the spam -- it's listing every open file on your system. Well, that's not very useful. We want to use the -i flag to find out what proccess is bound to a particular port.
The -i flag can take several forms of arguments. If you just want to search for a port number, you can use a numeric argument like ":80", or a service name (defined in /etc/services) like ":http". You can also specific protocol, like "TCP:http" for TCP port 80 or "UDP:80" for UDP port 80. If your machine has multiple IP addresses, you can, for example, search only for TCP port 80 on interface 192.168.1.1 with the "TCP@192.168.1.1:80" argument.
Anyway, let's try this out for real.
On one of my systems, I do this:
lsof -i :80
And get this:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
apache 24500 root 19u IPv4 141701 TCP *:http (LISTEN)
The first item is the name of the program that has the port open. The second item is the process ID. The next is the user that's running that process (oh heck -- I'm running Apache as root again? I thought I fixed that... grumble...)
The "19u" I'm not sure about. The "IPv4" indicates that it's using the IPv4 protocol. Device I'm also not sure about. Size is blank, and the rest shows the port it's captured, and the state it's in. ("LISTEN" mean it's waiting to receive a connection)
Now, let's say you want to find out more about that process. You have the Process ID, so you can do that like this:
ps aux | grep 24500
I get this:
root 24500 0.0 1.2 2968 1556 ? S Jan11 0:00 /usr/sbin/apache
So now I know the full path of the program that started the process that bound the port, I know how long it's been running (since Jan11), and several other things like how much memory it's using.
Let's say I see a "mystery port" open on my machine, for example, TCP:548.
lsof -i TCP:548
I get:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
afpd 266 root 0u IPv4 711 TCP *:548 (LISTEN)
Hmm... I need more information.
ps aux | grep 266
I get:
root 266 0.0 0.3 2368 492 ? S Jan01 0:00 /usr/sbin/afpd -n myhostname
Whatever it is, I now know what program it is, when it was started (Jan01, which is the last time I rebooted).
Now, what the heck is /usr/sbin/afpd?
So then I can do this:
whatis afpd
Or this if I wanted to see the full man page:
man afpd
Or this, if I wanted to search the entire man page collection for the term:
apropos afpd
Or I could even do a Google search if I was still stuck:
lynx http://www.google.com/search?q=afpd
Anyway, I don't have to go that far.
I do this:
whatis afpd
And get:
afpd (8) - AppleTalk Filing Protocol daemon
Ah, yes, now I remember. I know what it is, I remember where it came from, and now I know how to get rid of it. Leet. (It came from a Debian package that downloads Microsoft's truetype fonts from Microsoft's website -- but they're only available in a Macintosh compression format, so the package had to install some Apple filehandling tools in order to unpack them).
Anyway... next time you have a mystery port open, remember this. It's extremely useful.
Any questions?
[i](As an aside, I have a word of caution to nmap users. A lot of people seem to think that by default, nmap scans every port on your machine. It does not. It only scans ports that have a service associated with them in /etc/services. To do a FULL scan of your machine, you need to do this:
nmap -sT -sU -O -p 1-65535 TARGET
This will take a very very very long time, especially over an Internet connection ((you can scan your own system this way, but what you need to know is what your computer looks like from the Internet, so that's of little use)), but it's the only way to scan every port on the machine and get the full picture.
I hope you find this information helpful!)
------------------
http://users.ipa.net/~cmcpher/paminv.gif DEBIAN (http://www.debian.org/) http://users.ipa.net/~cmcpher/paminv.gif
It turns girls into statues!
[This message has been edited by Craig McPherson (edited 13 January 2001).]