3

On my system, if I run the netstat for a port, it returns:

$ netstat -nat | grep "60964"
tcp        0      0 192.0.0.1:60964             0.0.0.0:*            LISTEN      
tcp       59      0 192.0.0.1:60964             192.0.0.6:46962      ESTABLISHED

If I run lsof:

$ lsof -i4 | grep "60964"
process_x  2585 root  189u  IPv4  12708      0t0  TCP 192.0.0.1:60964 (LISTEN)

Why is there a difference in the output here? Why isn't lsof detecting the "established" connection.

Thanks!

Edit: I should mention I am the running the above commands as root.

brokenfoot
  • 155
  • 1
  • 5

3 Answers3

1

Unlike netstat, lsof requires root privileges in order to print all open ports on system. Although lsof manpage recommends lsof to be installed setuid root on Linux and setgid on BSD and many other Unixes, in fact most installations choose not to do so. (Whether those permissions should be turned on is another question.)

Therefore lsof displays connection for any process executed by current user only. To get a full list of connections, run lsof with root privilege.

Abel Cheung
  • 251
  • 1
  • 9
0

The only possibility I can think is that the port number is getting listed as a service name instead of port (see /etc/services). Adding "-P" argument would prevent this port name listing and instead just list the port number.

I don't see a port service name for 60964 on the Ubuntu and RedHat servers I have access to so this seems really weird.

You already commented that you were running lsof as root - so all processes should have been visible. From Abel Cheung question in the comments, we know that lsof isn't getting hung on a DNS query and not displaying that socket. Listing the socket state shouldn't be needed - nor specifying the PID.

Lars Nordin
  • 334
  • 2
  • 8
0

Have you tried 

lsof -i TCP -sTCP:ESTABLISHED
Ashwin Raveendran
  • 1