View previous topic :: View next topic |
Author |
Message |
Stalione Guru
Joined: 21 Apr 2002 Posts: 335
|
Posted: Wed Jul 16, 2003 4:29 pm Post subject: netstat output question |
|
|
Hi,
I am trying to figure out how netstat command figures out what daemon is listening on a particular port. Initially I thought it was refrencing the /etc/service file but that does not seems to be the case. here is a sample output from my systems netstat command
Code: |
rooster root # netstat -alnp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN 1085/xinetd
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 750/
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 998/smbd
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 854/
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 755/apache2
tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN 817/
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 967/
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1031/sshd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 755/apache2
|
I am trying to figure out how does it figure out the PID/Program part of the output. Actually what Im really trying to figure out is why doesn't it list mysql, proftpd etc as PID/Program for ports 3306 and 21 respectively. Any ideas?? |
|
Back to top |
|
|
Stalione Guru
Joined: 21 Apr 2002 Posts: 335
|
Posted: Wed Jul 16, 2003 7:03 pm Post subject: |
|
|
Does anyone know where can I find the source code to netstat? I know in Gentoo its part of some other package, is it bind-tools? |
|
Back to top |
|
|
paranode l33t
Joined: 06 Mar 2003 Posts: 679 Location: Texas
|
Posted: Wed Jul 16, 2003 7:45 pm Post subject: |
|
|
Not sure of the answer to your original question, but netstat is part of sys-apps/net-tools. _________________ Meh. |
|
Back to top |
|
|
devon l33t
Joined: 23 Jun 2003 Posts: 943
|
Posted: Wed Jul 16, 2003 10:23 pm Post subject: |
|
|
I believe it is because a child process of the main program made the inet socket... Just a theory though.
Code: | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 26681/
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 16489/httpd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 26321/xinetd
tcp 0 0 0.0.0.0:13782 0.0.0.0:* LISTEN 26321/xinetd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 462/sshd
tcp 0 0 0.0.0.0:13783 0.0.0.0:* LISTEN 26321/xinetd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 547/
tcp 0 0 0.0.0.0:13722 0.0.0.0:* LISTEN 26321/xinetd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 16489/httpd
tcp 0 0 0.0.0.0:13724 0.0.0.0:* LISTEN 26321/xinetd
|
Code: | # pstree -p
init(1)-+-atd(625)
|-bdflush(5)
|-crond(26377)
|-httpd(16489)-+-httpd(20828)
| |-httpd(22546)
| |-httpd(22579)
| |-httpd(22584)
| |-httpd(22589)
| |-httpd(28462)
| |-httpd(30898)
| `-httpd(31697)
|-keventd(2)
|-khubd(68)
|-kjournald(16)
|-kjournald(161)
|-klogd(441)
|-ksoftirqd_CPU0(3)
|-kswapd(4)
|-kupdated(6)
|-mdrecoveryd(7)
|-mingetty(675)
|-mingetty(676)
|-mingetty(677)
|-mingetty(678)
|-mingetty(679)
|-mingetty(680)
|-ntpd(488)
|-safe_mysqld(26624)---mysqld(26681)---mysqld(26683)---mysqld(26684)
|-scsi_eh_0(13)
|-sendmail(547)
|-sendmail(557)
|-sshd(462)-+-sshd(18947)---bash(18951)
| `-sshd(27660)---sshd(27664)---bash(27665)---su(1449)---bash(1450)---pstree(1639)
|-syslogd(437)
|-xfs(607)
`-xinetd(26321) |
|
|
Back to top |
|
|
Stalione Guru
Joined: 21 Apr 2002 Posts: 335
|
Posted: Thu Jul 17, 2003 5:25 pm Post subject: |
|
|
Looks like you are starting ftp and some other services using xinetd. So that makes sense for netstat to display xinetd under PID/Program name for those services. But mysql is started directly and not via xinetd... I have a feeling my answer lies in the source code. |
|
Back to top |
|
|
nerdbert l33t
Joined: 09 Feb 2003 Posts: 981 Location: Berlin
|
Posted: Thu Jul 17, 2003 6:53 pm Post subject: |
|
|
have you tried
Code: |
lsof | grep netstat |
while running netstat? Maybe this gives some relevant hints. |
|
Back to top |
|
|
Stalione Guru
Joined: 21 Apr 2002 Posts: 335
|
Posted: Fri Dec 19, 2003 5:09 pm Post subject: |
|
|
Although I still have not found an answer to my original question (i never got around to looking at the source code) but I came across something that I think is handy. Currently I am running gnump3d on port 8080 and elogd on port 8081. Doing a netstat -al tells me that on those ports I have (only relevant section showed):
Code: |
tcp 0 0 *:webcache *:* LISTEN
tcp 0 0 *:tproxy *:* LISTEN
|
This is a bit misleading since I am not running those services. Turns out that this info is pulled from /etc/services file. I simply edited the relevant section:
Code: |
#webcache 8080/tcp # WWW caching service
gnump3d 8080/tcp
gnump3d 8080/udp
#webcache 8080/udp # WWW caching service
#tproxy 8081/tcp # Transparent Proxy
elogd 8081/tcp
#proxy 8081/udp # Transparent Proxy
elogd 8081/udp
|
after saving the changes the output of netstat -al is :
Code: |
tcp 0 0 *:gnump3d *:* LISTEN
tcp 0 0 *:elogd *:* LISTEN
|
Nothing major...just makes for a nicer and more accurate output.
Also check out the IANA port listing for ports not listed in /etc/services |
|
Back to top |
|
|
|