How to use lsof port finding command on Linux

centos7
tcp
debian
ubuntu
security

#1

Say, I know port 22 open by sshd server on Linux. But, there is TCP another port open on Ubuntu VPS or CentOS 7 server. I also set up Debian desktop in VMWare workstation in office running on Win10 pro. How can I find out which process is listening upon a TCP port? I study lsof man page but it is so confusing. Please share some practical examples for new Linux developers.


#2

Yes lsof command used to find open file and including ports. But, lsof is not installed by default.

How to install lsof

Try command as per your Linux distro

Install lsof on a Debian or Ubuntu Linux

sudo apt-get install lsof

Install lsof on a CentOS or RHEL

sudo yum install lsof

Install lsof on a Fedora Linux

sudo dnf install lsof

lsof port find syntax

The syntax is simple:

lsof -i :portNumber 
lsof -i tcp:portNumber 
lsof -i udp:portNumber 

How to find out which process is listening upon a port using lsof

Let us find out which process is listening upon port 443 we can run:

sudo lsof -i :443

Now we get the following outputs from my own desktop:

COMMAND     PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
chrome    20834 vivek  148u  IPv4 746714      0t0  TCP nixcraft-nuc:41004->edge-star-shv-02-sin6.facebook.com:https (ESTABLISHED)
chrome    20834 vivek  204u  IPv4 742121      0t0  TCP nixcraft-nuc:40982->edge-star-shv-02-sin6.facebook.com:https (ESTABLISHED)
chrome    20834 vivek  281u  IPv4 857507      0t0  TCP nixcraft-nuc:41176->104.20.187.5:https (ESTABLISHED)
chrome    20834 vivek  305u  IPv4 859264      0t0  TCP nixcraft-nuc:54152->104.28.5.9:https (ESTABLISHED)
chrome    20834 vivek  327u  IPv4 852975      0t0  TCP nixcraft-nuc:58624->ln.forum:https (ESTABLISHED)
chromium- 22738 vivek  497u  IPv4 819241      0t0  TCP nixcraft-nuc:49520->ln.forum:https (ESTABLISHED)

How to see all the ports open for listening upon the current Linux server

Try netstat command or ss command

sudo ss -tulpn 
sudo ss -tlpn
sudo netstat -tulpn |grep LISTEN

Which gives output as follows:

tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      1916/dnsmasq        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1711/sshd           
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1713/cupsd          
tcp        0      0 127.0.0.1:53306         0.0.0.0:*               LISTEN      2737/AgentConnectix 
tcp6       0      0 :::22                   :::*                    LISTEN      1711/sshd           
tcp6       0      0 ::1:631                 :::*                    LISTEN      1713/cupsd          

Now I am curious to find out what program or service used by TCP port number 53306, run

sudo lsof -i :53306

Again we see:

COMMAND    PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
AgentConn 2737 vivek   16u  IPv4  50078      0t0  TCP localhost:53306 (LISTEN)
AgentAnti 3095 vivek   16u  IPv4  50078      0t0  TCP localhost:53306 (LISTEN)
AgentAnti 3109 vivek   16u  IPv4  50078      0t0  TCP localhost:53306 (LISTEN)

One more example:

lsof -i :22

Sample session:

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd    1711 root    5u  IPv4  33772      0t0  TCP *:ssh (LISTEN)
sshd    1711 root    7u  IPv6  33774      0t0  TCP *:ssh (LISTEN)

This tell us that tcp port number 22 opened by sshd server

Getting further help

lsof is a nice and useful tool. Read the man page:

man lsof

lsof source code - https://people.freebsd.org/~abe/