NETWORKING-PORT NUMBER IDs

NETWORKING-ID Ports & Process(es) Binding Them

Document Version:1.1 - 10/11/00

By: Myles Green
From tips supplied by David Bandel , Kurt Wall and Bruce Marshall

Tested on COL eServer 2.3 using the stock kernel binaries and runing Webmin, XDMCP and supplying NAT services to a small home network.

In The Beginning...

So, you have been using Linux for a while now and you feel pretty comfortable with your setup. One day, while reading a book on networking, you come across a few commands you can use to see what is happening on your little network. So, you fire up a terminal window and away you go:

[mylesg@router mylesg]$ su
Password:
[root@router mylesg]# netstat -l <<see man netstat for more information>>
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:printer *:* LISTEN
tcp 0 0 *:6000 *:* LISTEN
tcp 0 0 *:1389 *:* LISTEN
tcp 0 0 *:1000 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
udp 0 0 *:xdmcp *:*
udp 0 0 *:sunrpc *:*
raw 0 0 *:icmp *:* 7
raw 0 0 *:tcp *:* 7
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 0 [ ACC ] STREAM LISTENING 58462 /tmp/.X11-unix/X0
unix 0 [ ACC ] STREAM LISTENING 82670 /tmp//kio_500_3883merlin_1.0
unix 0 [ ACC ] STREAM LISTENING 82672 /tmp//kfm_500_3883merlin_1.0

But wait!! What's that? Open ports? What is using those ports you ask yourself? So you consult with various RFC's and the Well Known Ports list (also found here) to find out, and they tell you something like: "iclpv-dm Document Manager". But of course! :-/ What is it? Where did it come from?

Narrowing Things Down

You can figure things out by using a few commands (as root) and knowing what services you have running:

fuser -n tcp <port number><<see man fuser for more information>>

This will spit back a line containing the port number and the PID(s) using it, like this:

<port number>/tcp<<or udp>> $PID

Ok, let's try it on the ports listed in the above example:

[root@router mylesg]# fuser -n tcp 6000
6000/tcp: 24624

[root@router mylesg]# fuser -n tcp 1389
1389/tcp: 3835 3841 3862 3883 3885 3886 3887 15590 15835 24624 24628

[root@router mylesg]# fuser -n tcp 1000
1000/tcp: 589

Naming The Process

OK, so now you have a bunch of Process ID numbers. How do you find out what the names of these processes are?
You can combine commands to make the job simple and (most importantly) fast, like this:

ps ax | grep $PID <<substitute $PID with the values returned from fuser in the previous step>>

The result is the process that's binding the port(s) in question:

<<see man ps and man grep for more information>>

[root@router mylesg]# ps ax | grep 24624
24624 ? S 0:02 /usr/X11R6/bin/X -auth /etc/X11/kdm/authdir/A:0-vU7lS

[root@router mylesg]# ps ax | grep 589
589 ? SW 0:00 [miniserv.pl]

[root@router mylesg]# ps ax | grep 3835
3835 ? S 0:00 -merlin:1
17593 pts/0 S 0:00 grep 3835

What Does It All Mean?

OK, what did we find out? Let's look at the ports one by one:

port 6000 is being used by PID 24624 which is (in this example only) /usr/X11R6/bin/X better known as XFree86
port 1389 is being used by PID 3835 (and several others) which we are told is -merlin:1 ... <<merlin is the name of a computer on my internal network>> so this has to do with running XDMCP and reflects a connection in place between "router" and "merlin"
port 1000 is being used by PID 589 or miniserv.pl which is part of Webmin, an administration tool.

Summary

So we found the evidence to support the fact that Webmin is running as is XDMCP and therefore XFree86 as well, so there are no ports open that shouldn't be open.