Linux
21 June 2011 1 Comment

Linux: Showing Open Ports and the Processes that Own Them

How do you list the open TCP and UDP ports on your server and the processes that own them? The answer is to use either the netstat or the lsof command:

netstat

$ sudo netstat -lptu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:ftp                   *:*                     LISTEN      3825/vsftpd
tcp        0      0 *:ssh                   *:*                     LISTEN      3539/sshd
tcp        0      0 localhost:6600          *:*                     LISTEN      3922/mpd
tcp        0      0 localhost:mysql         *:*                     LISTEN      30004/mysqld
tcp        0      0 *:svn                   *:*                     LISTEN      3810/svnserve
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      3539/sshd
tcp6       0      0 [::]:microsoft-ds       [::]:*                  LISTEN      3805/smbd
tcp6       0      0 localhost:6600          [::]:*                  LISTEN      3922/mpd
tcp6       0      0 [::]:netbios-ssn        [::]:*                  LISTEN      3805/smbd
tcp6       0      0 [::]:www

Tags: , lsof, , open ports, tcp, udp
Windows
13 May 2011 0 Comments

Which Windows Process is Using Which TCP Connection?

Say you have identified – through Wireshark or other means – that your computer is communicating with a certain IP. If you suspect this might be a rogue process or a virus ‘phoning home’ then you might want to dig a little deeper.

The oldest trick in the book is to use netstat. A post on Techrepublic describes this method in-depth, but I will describe the important elements here. With command below you get a list of all TCP and UDP sockets, and their associated process ID’s:

netstat -noa

The image below is courtescy of Techrepublic

Now you can use the process ID (PID) to find the name of the process. The default Windows task manager does not display them, but they are easily enabled through View -> Select Columns. Check the PID box, see the image below.

Of course if you are using Process Explorer (as you should) then the PID’s are at your disposal already. With other tools in the the brilliant Sysinternals suite you can make life even easier. The TCPView tool was specifically built for the problem we are trying to solve:

TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and

Tags: , , process explorer, process id, sysinternals, tcp connection, tcpview