Debugging Mystery Ports: When netstat Shows Listening Ports Without PIDs and lsof Finds Nothing


2 views

During routine system checks, I encountered something curious - netstat reported open TCP/UDP ports without associated PIDs, while lsof couldn't identify any process owning these ports. The ports changed after reboot but the behavior persisted. Here's how I investigated:

# First verification
netstat -lntup | grep -E '44231|55234'
tcp        0      0 0.0.0.0:44231           0.0.0.0:*               LISTEN      - 
udp        0      0 0.0.0.0:55234           0.0.0.0:*                           - 

# Cross-checking with alternative tools
ss -tulnp | grep -E '44231|55234'
# No output

sudo lsof -i :44231
# No output

When basic tools fail, we need deeper inspection methods:

# Check kernel sockets
cat /proc/net/tcp | grep -i "0A8F"  # 44231 in hex
cat /proc/net/udp | grep -i "D7C2"  # 55234 in hex

# Check for kernel modules using ports
sudo lsmod | awk '{print $1}' | xargs -n1 modinfo | grep -i "port"

# Audit kernel events
sudo auditctl -a exit,always -F arch=b64 -S socket -F success=1

Based on similar reports across StackOverflow and ServerFault, these are possible causes:

  • Kernel-level services: Some network functions operate at kernel level without userspace process
  • Early boot services: Services that start before PID tracking is available
  • Container/virtualization artifacts: Orchestration systems sometimes create proxy ports
  • Kernel modules: Certain drivers open ports for management interfaces

Here's the step-by-step approach I took to identify the ports:

# 1. Check systemd for socket activation
systemctl list-sockets | grep -E '44231|55234'

# 2. Inspect kernel ring buffer
dmesg | grep -i "port"

# 3. Verify no hidden containers exist
sudo docker ps -a
sudo podman ps -a

# 4. Deep socket inspection with strace
sudo strace -f -e trace=network -p $(pgrep -f "service_name")

In my case, these turned out to be ports opened by a kernel module for hardware monitoring. The solution was to either:

# Option 1: Blacklist the module
echo "blacklist problematic_module" | sudo tee /etc/modprobe.d/blacklist.conf

# Option 2: Configure the module to not use network ports
echo "options problematic_module use_network=0" | sudo tee /etc/modprobe.d/probmodule.conf

Always verify system functionality after making these changes.

To catch similar issues proactively:

# Create a monitoring script
#!/bin/bash
MYSTERY_PORTS=$(netstat -lntup | awk '$6 == "-" && $1 ~ /tcp|udp/ {print $1,$4}')
if [ -n "$MYSTERY_PORTS" ]; then
    echo "Alert: Found mystery ports" | mail -s "Port Alert" admin@example.com
    logger "Mystery ports detected: $MYSTERY_PORTS"
fi

You're running netstat -lntup and seeing open ports that shouldn't exist - TCP and UDP ports listening with no associated process ID. Even more confusing, lsof and fuser show nothing for these ports.

# Typical problematic output:
Proto Recv-Q Send-Q Local Address  Foreign Address State  PID/Program name
tcp   0      0      0.0.0.0:44231  0.0.0.0:*       LISTEN -  
udp   0      0      0.0.0.0:55234  0.0.0.0:*              -

When standard tools fail, we need deeper inspection methods:

# 1. Check kernel sockets directly
ss -ltupn | grep -E '44231|55234'

# 2. Inspect kernel connection tracking
conntrack -L | grep -E '44231|55234'

# 3. Kernel socket allocation tracking
cat /proc/net/tcp | grep -i 'A[DE0-9]*:44231'
cat /proc/net/udp | grep -i 'A[DE0-9]*:55234'

Based on the behavior (ports changing after reboot), these are likely causes:

1. Kernel Modules or Services

Some kernel modules create sockets without traditional PIDs:

# Check loaded kernel modules
lsmod | grep -i 'rpc|sunrpc|nfs|dns|dhcp'

# Try unloading suspect modules
sudo modprobe -r module_name

2. Early-Boot Services

Services started before PID tracking begins may not show properly:

# Check systemd-analyze for early starters
systemd-analyze blame | head -20

# Alternative using boot chart
systemd-analyze plot > boot.svg

3. Socket Activation

Systemd's socket activation can create this scenario:

# Find socket units
systemctl list-sockets --all

# Check for corresponding service
systemctl status *.socket

When all else fails, examine the network stack directly:

# Dump kernel socket allocations
sudo sysctl net.ipv4.tcp_keepalive_time=30
sudo tcpdump -i lo 'port 44231 or port 55234' -vvv

# Check firewall/NAT rules that might create ports
sudo iptables -t nat -L -n -v
sudo nft list ruleset

Create a monitoring script to catch the port creation moment:

#!/bin/bash
while true; do
  netstat -lntup | grep -E '0.0.0.0:[0-9]+.*-'
  if [ $? -eq 0 ]; then
    echo "Mystery port detected at $(date)"
    ss -ltupn | grep -E '0.0.0.0:[0-9]+'
    break
  fi
  sleep 5
done