2

I have a RHEL server with several apps on it and I am attempting to figure out which one of them is making calls to an external web service. I have TCP dumps that show the calls being made and through various tools I am able to determine what ephemeral port is making those calls. However, I am unable to figure out how to map that ephemeral port to a pid. I am aware that I can use lsof -i to map bound ports to pids, but this is not my problem.

Is there any way to map an in-use ephemeral port to a pid or some other indicator as to what file is making the call?

Abhijeet Kasurde
  • 983
  • 9
  • 20
jdw
  • 3,855
  • 2
  • 17
  • 21
  • What makes you think lsof -i won't work for ephemeral ports? Are you just having trouble running lsof in the right time window? – sciurus Oct 02 '13 at 04:25
  • I think that may be it. Whenever I run lsof against this particular connection, there is nothing in the PID/Program column. May be a timing issue. – jdw Oct 02 '13 at 11:55
  • You could try lsof's repeat mode. Add the option -r1 to have it poll every second. – sciurus Oct 03 '13 at 17:58

2 Answers2

6
lsof -i $PROTOCOL:$PORT
fuser $PORT/$PROTOCOL
netstat -np | grep $PORT

Any of those should work. Below is sample output showing my mail client using ephemeral port 56375 to talk to an IMAP server for further explanation:

$ sudo netstat -np | grep 56375
tcp        0      0 192.168.1.1:56375      217.70.184.11:993       ESTABLISHED 3256/thunderbird

$ fuser 56375/tcp
56375/tcp:            3256

$ lsof -i tcp:56375
COMMAND    PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
thunderbi 3256   me     87u  IPv4 510573      0t0  TCP hostname:56375->example.com:imaps (ESTABLISHED)
Dharma Bellamkonda
  • 107
  • 3
sciurus
  • 12,678
  • 2
  • 31
  • 49
2

netstat will list all pid and port respective to each other. netstat -nlp will provide you port to pid mapping.

Abhijeet Kasurde
  • 983
  • 9
  • 20