Subject: RE: Netstat port list v/s PID
Date: Thu, 10 Oct 2002 00:45:23 -0700
From: "Ian H. Greenhoe" <ian@popcap.com>
To: "Hantzley" <hantzley@intnet.mu>, <debian-security@lists.debian.org>

Hantzley (hantzley@intnet.mu) spake thus:

>Is there a way to know to which process belong a particular port?  e.g.,
>port 32773 - 32779, are known to be for rpc services. But to which process
>do they pertain to, that's another issue?

As root, do:

netstat -anp

Parameters as follows:

-a : show me all connections

-n : don't bother looking up DNS records (I don't wanna wait for
     DNS to time out multiple times)

-p : show me the process ID that is connected to port in question

Why you need to be root:  netstat considers it a security violation to
know about anybody else's [different UID] port / process connections.
I agree with this, although it can be a royal PITA at times.

BTW: netstat vs. lsof:

netstat is more likely to be installed than lsof, and only shows =
relevant
items when you are wondering about net connections to process IDs.

If you do want to use lsof in this instance, grep Is Your Friend.
However, lsof is a handy util that I recommend that anybody install
and gain familiarity with. As mentioned recently here, lsof +L1 is
a wonderous command -- it shows you open files that have been deleted.
Very useful after you've done an apt-get upgrade.  And that's just
one of its myriad of useful applications.


Ian Greenhoe





Date: Thu, 10 Oct 2002 11:45:35 +0300
From: Mika =?iso-8859-15?Q?Bostr=F6m?= <bostik@lut.fi>
To: Hantzley <hantzley@intnet.mu>
Cc: debian-security@lists.debian.org
Subject: Re: Netstat port list v/s PID
User-Agent: Mutt/1.4i


> Is there a way to know to which process belong a particular port? e.g.,
> port 32773 - 32779, are known to be for rpc services. But to which process
> do they pertain to, that's another issue?

  Netstat options have already been mentioned, and one person suggested
lsof. I would add fuser from psmisc-package.

-- 
 Mika Bostr=F6m      +358-40-525-7347  \-/  "The Hell is empty,
 Bostik@lut.fi    www.lut.fi/~bostik  X    and all the devils
 Security freak, and proud of it.    /-\   are here." -W.S.