Summary: can we trace a listening udp/tcp ports to the underlying applications/program

From: Gold Sun (goldsun8@yahoo.com.sg)
Date: Sat Sep 17 2005 - 03:27:51 EDT

Many thanks for the 30 odd replies. My apologies that this
question can be found in Sunmanager's faq but I've got a few
unique answers which can't be found in the faq.
 
Have removed as many repeated answers & summarized below:

==============================================
 
Unfortunately you can't find out the PID with the Solaris netstat
command. Linux will allow you to do this with a netstat -anp.
The p option shows you which media interface.
Either http://www.blastwave.org or http://www.sunfreeware.com will have
it. You may need to install other binaries/libraries to install the
lsof
package. I recommend blastwave.
 
==============================================
    
http://dcs.nac.uci.edu/~strombrg/What-program-is-active-on-that-port.html
 
==============================================
 
> Will "netstat -anv" give any clue like pid of the daemon that's
> listening on that port etc??
No.
You can install and use 'lsof'. Then you could do something like
'lsof -i :3181' to find processes using that port.
Or (depending on the OS), you could look at the output of 'pfiles
<PID>'
for all processes running on the box to see which ones would be using
that particular port.
 
==============================================
    
Get lsof from sunfreeware.com and run:
  lsof +M -P | grep LISTEN
 

==============================================

you could try and see if the process has any files opened against it,
might give you a clue to the app the process belongs too.
lsof -i | grep 24576
you will prob have to load lsof from sunfreeware.
cheers
dan.

==============================================
    
Download and install "lsof" (sunfreeware)
Example:
# lsof -i -U | egrep "389|ldap"
Gary

==============================================
    
Try this web site which lists port numbers assigned
http://www.iana.org/assignments/port-numbers
i.e.
esmmanager 5600/tcp Enterprise Security Manager
esmmanager 5600/udp Enterprise Security Manager
3181 isn't listed
You could try using 'lsof' I think it works rather like 'truss' but on
a port or try using snoop for that particular port other than that I am
at a loss
 
==============================================

OOn recent versions of Solaris, "pfiles" will tell you about each and
every program running which file descriptor matches to what.
cd /proc
pfiles *| more

==============================================
    
the best way to do that is to use lsof.
download it if you dont have it
lsof |grep 3181 will give you the PID of the process that listens to
that
port.

=============Original question ==============
 
Date: Thu, 15 Sep 2005 16:22:13 +0800 (CST)
From: "Gold Sun" <goldsun8@yahoo.com.sg>
To: sunmanagers@sunmanagers.org
Subject: can we trace a listening udp/tcp ports to the underlying applications/program
    
Hi,
 
I was notified during a vulnerability scan that there are ports that
are open on the Sun servers which I just 'inherited' not too long ago.
 
Issuing "netstat -an" showed the ports with "listen" state & I can
then search the port number under /etc/services, say "printer" &
then look up /etc/inetd.conf. I can then comment out (prefixing
with #) for the entry in inetd.conf & then restart inetd.
 
However there's some ports which I cant trace in the above
manner.
 
# netstat -an
. . .
      *.3181 *.* 0 0 24576 0
LISTEN
      *.5600 *.* 0 0 24576 0
LISTEN
. . .
# grep 3181 /etc/services
# grep 5600 /etc/services
 
Will "netstat -anv" give any clue like pid of the daemon that's
listening on that port etc?? I do not have the documentation
from my predecessor who's left. If I can trace it to a specific
application name, say Tivoli Storage Manager, then I can
list it out & tell the auditor this is a required port or if it's some
dubious ones, possibly stop the application & see if it breaks
(if it does, then start it up again).
Sample "netstat -anv" output follows :
 
UDP: IPv4
Local Address Remote Address State
-------------------- -------------------- -------
. . .
10.196.16.12.123 Idle
TCP: IPv4
Local/Remote Address Swind Snext Suna Rwind Rnext Rack
Rto Mss State
-------------------- ----- -------- -------- ----- -------- --------
----- ----- -----
      *.3181
      *.* 0 00000000 00000000 24576 00000000 00000000
3375 536 LISTEN
      *.5600
      *.* 0 00000000 00000000 24576 00000000 00000000
3375 536 LISTEN
. . . . .
 
 
Thanks
 
 
 
 
 

Send instant messages to your online friends http://asia.messenger.yahoo.com
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:31:40 EDT