Categories

How to find which service is listening on a given port

Written by Guillermo Garron .
Date: 2008-05-19 14:36:30 +0000

It is really important to know which ports are open in your PC, this is not only useful for Linux, but also for other operating systems, Linux has a lot of tools to check which ports are open, the most common is nmap which is a command line tool, but also exist a Graphical frontEnd for it if you prefer that way.

So to scan you own PC and find open ports you can enter:

nmap

sudo nmap -T Aggressive -A -v 127.0.0.1 -p 1-65000

That will scan all ports and you will an output like this:

Starting Nmap 4.53 ( http://insecure.org ) at 2008-05-19 10:20 BOT
Initiating SYN Stealth Scan at 10:20
Scanning localhost (127.0.0.1) [65000 ports]
Discovered open port 113/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 443/tcp on 127.0.0.1
Discovered open port 902/tcp on 127.0.0.1
Discovered open port 55378/tcp on 127.0.0.1
Discovered open port 3143/tcp on 127.0.0.1
Discovered open port 8307/tcp on 127.0.0.1
Discovered open port 631/tcp on 127.0.0.1
Discovered open port 8222/tcp on 127.0.0.1
Discovered open port 8308/tcp on 127.0.0.1
Discovered open port 8009/tcp on 127.0.0.1
Discovered open port 111/tcp on 127.0.0.1
Discovered open port 8005/tcp on 127.0.0.1
Discovered open port 8123/tcp on 127.0.0.1
Discovered open port 38599/tcp on 127.0.0.1
Completed SYN Stealth Scan at 10:20, 1.47s elapsed (65000 total ports)
Initiating Service scan at 10:20
Scanning 16 services on localhost (127.0.0.1)
Completed Service scan at 10:21, 88.68s elapsed (16 services on 1 host)
Initiating OS detection (try #1) against localhost (127.0.0.1)
Initiating RPCGrind Scan against localhost (127.0.0.1) at 10:21
Completed RPCGrind Scan against localhost (127.0.0.1) at 10:21, 0.12s elapsed (3 ports)
SCRIPT ENGINE: Initiating script scanning.
SCRIPT ENGINE: rpcinfo.nse is not a file.
SCRIPT ENGINE: Aborting script scan.
Host localhost (127.0.0.1) appears to be up ... good.
Interesting ports on localhost (127.0.0.1):
Not shown: 64984 closed ports
PORT      STATE SERVICE         VERSION
22/tcp    open  ssh             OpenSSH 4.7p1 Debian 9 (protocol 2.0)
80/tcp    open  http            Apache httpd 2.2.8 ((Debian))
111/tcp   open  rpcbind          2 (rpc #100000)
113/tcp   open  ident
443/tcp   open  https?
631/tcp   open  ipp             CUPS 1.2
902/tcp   open  ssl/vmware-auth VMware GSX Authentication Daemon 1.10 (Uses VNC, SOAP)
3143/tcp  open  unknown
8005/tcp  open  unknown
8009/tcp  open  ajp13?
8123/tcp  open  http-proxy      Polipo http proxy
8222/tcp  open  unknown
8307/tcp  open  unknown
8308/tcp  open  http            Apache Tomcat/Coyote JSP engine 1.1
38599/tcp open  status           1 (rpc #100024)
55378/tcp open  nlockmgr         1-4 (rpc #100021)

As you can see, it tries to guess which service is listening on each port, but it can make mistakes, so if you want to be sure you need to use some other tools, we will see three different now.

netstat

With netstat the command you need to enter is:

sudo netstat --tcp --udp --listening --program

The output could be something like this:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:902                   *:*                     LISTEN      3441/inetd      
tcp        0      0 *:38599                 *:*                     LISTEN      2926/rpc.statd  
tcp        0      0 *:3143                  *:*                     LISTEN      2763/perl       
tcp        0      0 *:sunrpc                *:*                     LISTEN      2919/portmap    
tcp        0      0 *:auth                  *:*                     LISTEN      3441/inetd      
tcp        0      0 *:55378                 *:*                     LISTEN      -               
tcp        0      0 *:8307                  *:*                     LISTEN      4096/vmware-hostd
tcp        0      0 localhost:ipp           *:*                     LISTEN      3407/cupsd      
tcp        0      0 *:https                 *:*                     LISTEN      4096/vmware-hostd
tcp        0      0 *:8123                  *:*                     LISTEN      3455/polipo     
tcp        0      0 *:8222                  *:*                     LISTEN      4096/vmware-hostd
tcp6       0      0 localhost:8005          [::]:*                  LISTEN      3956/webAccess  
tcp6       0      0 [::]:8009               [::]:*                  LISTEN      3956/webAccess  
tcp6       0      0 [::]:www                [::]:*                  LISTEN      4175/apache2    
tcp6       0      0 [::]:8308               [::]:*                  LISTEN      3956/webAccess  
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      3281/sshd       
udp        0      0 *:44807                 *:*                                 2926/rpc.statd  
udp        0      0 *:36555                 *:*                                 3467/avahi-daemon: 
udp        0      0 *:982                   *:*                                 2926/rpc.statd  
udp        0      0 *:mdns                  *:*                                 3467/avahi-daemon: 
udp        0      0 *:sunrpc                *:*                                 2919/portmap    
udp        0      0 *:ipp                   *:*                                 3407/cupsd      
udp6       0      0 [::]:51107              [::]:*                              3467/avahi-daemon: 
udp6       0      0 [::]:mdns               [::]:*                              3467/avahi-daemon: 

lsof

With this command you need to enter

sudo lsof +M -i4

You will get an output like this:

COMMAND    PID     USER   FD   TYPE DEVICE SIZE NODE NAME
apt-cache 2763 www-data    3u  IPv4   6403       TCP *:3143 (LISTEN)
portmap   2919   daemon    3u  IPv4   6686       UDP *:sunrpc[portmapper] 
portmap   2919   daemon    4u  IPv4   6687       TCP *:sunrpc[portmapper] (LISTEN)
rpc.statd 2926    statd    5u  IPv4   6726       UDP *:982 
rpc.statd 2926    statd    7u  IPv4   6736       UDP *:44807[status] 
rpc.statd 2926    statd    8u  IPv4   6741       TCP *:38599[status] (LISTEN)
cupsd     3407     root    0u  IPv4  20058       TCP localhost:ipp (LISTEN)
cupsd     3407     root    3u  IPv4  20061       UDP *:ipp 
inetd     3441     root    4u  IPv4   7612       TCP *:auth (LISTEN)
inetd     3441     root    5u  IPv4   7615       TCP *:902 (LISTEN)
polipo    3455    proxy    0u  IPv4   7649       TCP *:8123 (LISTEN)
polipo    3455    proxy    2u  IPv4  11350       UDP debian.go2linux.org:59528->vnsc-bak.sys.gtei.net:domain 
polipo    3455    proxy    5u  IPv4  21863       TCP localhost:8123->localhost:56811 (ESTABLISHED)
polipo    3455    proxy    8u  IPv4  21405       TCP localhost:8123->localhost:50403 (ESTABLISHED)
polipo    3455    proxy   22u  IPv4  21872       TCP localhost:8123->localhost:56813 (ESTABLISHED)
polipo    3455    proxy   42u  IPv4  21965       TCP localhost:8123->localhost:56828 (ESTABLISHED)
avahi-dae 3467    avahi   14u  IPv4   7702       UDP *:mdns 
avahi-dae 3467    avahi   16u  IPv4   7704       UDP *:36555 
vmware-ho 4096     root    6u  IPv4   9022       TCP *:https (LISTEN)
vmware-ho 4096     root    7u  IPv4   9023       TCP *:8222 (LISTEN)
vmware-ho 4096     root   30u  IPv4   9455       TCP *:8307 (LISTEN)
firefox-b 4431  ggarron   58u  IPv4  21862       TCP localhost:56811->localhost:8123 (ESTABLISHED)
firefox-b 4431  ggarron   61u  IPv4  21871       TCP localhost:56813->localhost:8123 (ESTABLISHED)
firefox-b 4431  ggarron   62u  IPv4  21964       TCP localhost:56828->localhost:8123 (ESTABLISHED)
firefox-b 4431  ggarron   68u  IPv4  21404       TCP localhost:50403->localhost:8123 (ESTABLISHED)

fuser

Fuser, does help, but is not like those other tools, with fuser you can also kill the process which is listening on a given port.

sudo fuser -v 3143/tcp

The output is:

	     USER        PID ACCESS COMMAND
3143/tcp:    www-data   2763 F.... apt-cacher

If you need to kill the process enter

sudo fuser -vk 3143/tcp

Do not forget to read the man pages of this tools to have more info about its uses

permalink

If you enjoyed the article, please share it

twitter | facebook | google+ | linkedin | email | reddit


comments powered by Disqus

Sponsor

Bio.

My name is Guillermo Garron. I am telecommunications engineer from Bolivia

I like technology a lot, and this site is mainly dedicated to that

Social feeds

rss | twitter | email | google+

Posts via email

If you use the letter icon above and subscribe to my tinyletter newsletter, you will get one to two emails, related to this site, or not. If what you want is to get the posts of this site via email, use the form below

Enter your email address:

Delivered by FeedBurner