How to find and trace open ports in unix

Listing all the preocess ids:

# /usr/bin/ps -ef | sed 1d | awk ‘{print $2}’

Mapping the files to ports using the PID:

# /usr/proc/bin/pfiles 2>/dev/null | /usr/xpg4/bin/grep
or
# /usr/bin/ps -o pid -o args -p | sed 1d

Mapping the sockname to port using the port number:

# for i in `ps -e|awk ‘{print $1}’`; do echo $i; pfiles $i 2>/dev/null | grep ‘port: 1521’; done
or
# pfiles -F /proc/* | nawk ‘/^[0-9]+/ { proc=$2} ; /[s]ockname: AF_INET/ { print proc “n ” $0 }’

There were two explanations why “lsof” did not show, what was expected:

1) One thing that might prevent lsof to print all, is if the ports are controlled by inetd or some such (i.e. there is nothing actively listening on them until you try talking to them).

Also, try telneting to the port and then run lsof while the telnet session is connected.

2) On Solaris 10, using “lsof -i” to show mapping of processes to TCP ports incorrectly shows all processes that have socket open as using port 65535, for example:

sshd 8304 root 8u IPv4 0x60008cdac0 0t0 TCP *:65535
(LISTEN)
sendmail 1446 root 5u IPv4 0x60007ebbe00 0t0 TCP *:65535
(LISTEN)

This is a known bug in lsof that can _not_ be fixed because of differences between Solaris 10 and previous versions. So the useful “lsof -i :” is now not useful.

Leave a Comment

Your email address will not be published. Required fields are marked *

CAPTCHA * Time limit is exhausted. Please reload the CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top