How to find which service is listening on a given port
Written by Guillermo Garron
Date: 2008-05-19 10:36:30 00:00
It is really important to know which ports are open in your PC, this is not only useful for Linux, but also for other operating systems, Linux has a lot of tools to check which ports are open, the most common is nmap which is a command line tool, but also exist a Graphical frontEnd for it if you prefer that way.
So to scan you own PC and find open ports you can enter:
nmap
sudo nmap -T Aggressive -A -v 127.0.0.1 -p 1-65000
That will scan all ports and you will an output like this:
Starting Nmap 4.53 ( http://insecure.org ) at 2008-05-19 10:20 BOT
Initiating SYN Stealth Scan at 10:20
Scanning localhost (127.0.0.1) [65000 ports]
Discovered open port 113/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 443/tcp on 127.0.0.1
Discovered open port 902/tcp on 127.0.0.1
Discovered open port 55378/tcp on 127.0.0.1
Discovered open port 3143/tcp on 127.0.0.1
Discovered open port 8307/tcp on 127.0.0.1
Discovered open port 631/tcp on 127.0.0.1
Discovered open port 8222/tcp on 127.0.0.1
Discovered open port 8308/tcp on 127.0.0.1
Discovered open port 8009/tcp on 127.0.0.1
Discovered open port 111/tcp on 127.0.0.1
Discovered open port 8005/tcp on 127.0.0.1
Discovered open port 8123/tcp on 127.0.0.1
Discovered open port 38599/tcp on 127.0.0.1
Completed SYN Stealth Scan at 10:20, 1.47s elapsed (65000 total ports)
Initiating Service scan at 10:20
Scanning 16 services on localhost (127.0.0.1)
Completed Service scan at 10:21, 88.68s elapsed (16 services on 1 host)
Initiating OS detection (try #1) against localhost (127.0.0.1)
Initiating RPCGrind Scan against localhost (127.0.0.1) at 10:21
Completed RPCGrind Scan against localhost (127.0.0.1) at 10:21, 0.12s elapsed (3 ports)
SCRIPT ENGINE: Initiating script scanning.
SCRIPT ENGINE: rpcinfo.nse is not a file.
SCRIPT ENGINE: Aborting script scan.
Host localhost (127.0.0.1) appears to be up ... good.
Interesting ports on localhost (127.0.0.1):
Not shown: 64984 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 9 (protocol 2.0)
80/tcp open http Apache httpd 2.2.8 ((Debian))
111/tcp open rpcbind 2 (rpc #100000)
113/tcp open ident
443/tcp open https?
631/tcp open ipp CUPS 1.2
902/tcp open ssl/vmware-auth VMware GSX Authentication Daemon 1.10 (Uses VNC, SOAP)
3143/tcp open unknown
8005/tcp open unknown
8009/tcp open ajp13?
8123/tcp open http-proxy Polipo http proxy
8222/tcp open unknown
8307/tcp open unknown
8308/tcp open http Apache Tomcat/Coyote JSP engine 1.1
38599/tcp open status 1 (rpc #100024)
55378/tcp open nlockmgr 1-4 (rpc #100021)
As you can see, it tries to guess which service is listening on each port, but it can make mistakes, so if you want to be sure you need to use some other tools, we will see three different now.
netstat
With netstat the command you need to enter is:
sudo netstat --tcp --udp --listening --program
The output could be something like this:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:902 *:* LISTEN 3441/inetd
tcp 0 0 *:38599 *:* LISTEN 2926/rpc.statd
tcp 0 0 *:3143 *:* LISTEN 2763/perl
tcp 0 0 *:sunrpc *:* LISTEN 2919/portmap
tcp 0 0 *:auth *:* LISTEN 3441/inetd
tcp 0 0 *:55378 *:* LISTEN -
tcp 0 0 *:8307 *:* LISTEN 4096/vmware-hostd
tcp 0 0 localhost:ipp *:* LISTEN 3407/cupsd
tcp 0 0 *:https *:* LISTEN 4096/vmware-hostd
tcp 0 0 *:8123 *:* LISTEN 3455/polipo
tcp 0 0 *:8222 *:* LISTEN 4096/vmware-hostd
tcp6 0 0 localhost:8005 [::]:* LISTEN 3956/webAccess
tcp6 0 0 [::]:8009 [::]:* LISTEN 3956/webAccess
tcp6 0 0 [::]:www [::]:* LISTEN 4175/apache2
tcp6 0 0 [::]:8308 [::]:* LISTEN 3956/webAccess
tcp6 0 0 [::]:ssh [::]:* LISTEN 3281/sshd
udp 0 0 *:44807 *:* 2926/rpc.statd
udp 0 0 *:36555 *:* 3467/avahi-daemon:
udp 0 0 *:982 *:* 2926/rpc.statd
udp 0 0 *:mdns *:* 3467/avahi-daemon:
udp 0 0 *:sunrpc *:* 2919/portmap
udp 0 0 *:ipp *:* 3407/cupsd
udp6 0 0 [::]:51107 [::]:* 3467/avahi-daemon:
udp6 0 0 [::]:mdns [::]:* 3467/avahi-daemon:
lsof
With this command you need to enter
sudo lsof +M -i4
You will get an output like this:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
apt-cache 2763 www-data 3u IPv4 6403 TCP *:3143 (LISTEN)
portmap 2919 daemon 3u IPv4 6686 UDP *:sunrpc[portmapper]
portmap 2919 daemon 4u IPv4 6687 TCP *:sunrpc[portmapper] (LISTEN)
rpc.statd 2926 statd 5u IPv4 6726 UDP *:982
rpc.statd 2926 statd 7u IPv4 6736 UDP *:44807[status]
rpc.statd 2926 statd 8u IPv4 6741 TCP *:38599[status] (LISTEN)
cupsd 3407 root 0u IPv4 20058 TCP localhost:ipp (LISTEN)
cupsd 3407 root 3u IPv4 20061 UDP *:ipp
inetd 3441 root 4u IPv4 7612 TCP *:auth (LISTEN)
inetd 3441 root 5u IPv4 7615 TCP *:902 (LISTEN)
polipo 3455 proxy 0u IPv4 7649 TCP *:8123 (LISTEN)
polipo 3455 proxy 2u IPv4 11350 UDP debian.go2linux.org:59528->vnsc-bak.sys.gtei.net:domain
polipo 3455 proxy 5u IPv4 21863 TCP localhost:8123->localhost:56811 (ESTABLISHED)
polipo 3455 proxy 8u IPv4 21405 TCP localhost:8123->localhost:50403 (ESTABLISHED)
polipo 3455 proxy 22u IPv4 21872 TCP localhost:8123->localhost:56813 (ESTABLISHED)
polipo 3455 proxy 42u IPv4 21965 TCP localhost:8123->localhost:56828 (ESTABLISHED)
avahi-dae 3467 avahi 14u IPv4 7702 UDP *:mdns
avahi-dae 3467 avahi 16u IPv4 7704 UDP *:36555
vmware-ho 4096 root 6u IPv4 9022 TCP *:https (LISTEN)
vmware-ho 4096 root 7u IPv4 9023 TCP *:8222 (LISTEN)
vmware-ho 4096 root 30u IPv4 9455 TCP *:8307 (LISTEN)
firefox-b 4431 ggarron 58u IPv4 21862 TCP localhost:56811->localhost:8123 (ESTABLISHED)
firefox-b 4431 ggarron 61u IPv4 21871 TCP localhost:56813->localhost:8123 (ESTABLISHED)
firefox-b 4431 ggarron 62u IPv4 21964 TCP localhost:56828->localhost:8123 (ESTABLISHED)
firefox-b 4431 ggarron 68u IPv4 21404 TCP localhost:50403->localhost:8123 (ESTABLISHED)
fuser
Fuser, does help, but is not like those other tools, with fuser you can also kill the process which is listening on a given port.
sudo fuser -v 3143/tcp
The output is:
USER PID ACCESS COMMAND
3143/tcp: www-data 2763 F.... apt-cacher
If you need to kill the process enter
sudo fuser -vk 3143/tcp
Do not forget to read the man pages of this tools to have more info about its uses