How to Identify Which Process is Using a Specific Port in Linux: A Sysadmin’s Guide


1 views

When you discover an unexpected open port through tools like nmap, the first step is identifying which process is bound to it. Linux provides several powerful built-in tools for this investigation:


# Method 1: Using netstat
sudo netstat -tulnp | grep :PORT_NUMBER

# Method 2: Using ss (modern alternative to netstat)
sudo ss -tulnp | grep :PORT_NUMBER

For more detailed information, lsof (List Open Files) is invaluable as it shows not just network ports but all file handles:


sudo lsof -i :PORT_NUMBER
sudo lsof -iTCP -sTCP:LISTEN

Linux's /proc filesystem contains real-time process information. Here's how to leverage it:


# Find the process ID first
PID=$(sudo lsof -t -i:PORT_NUMBER)

# Then investigate the process
cat /proc/$PID/cmdline
ls -l /proc/$PID/exe

Let's walk through identifying port 3000:


$ sudo ss -tulnp | grep :3000
tcp    LISTEN   0  128    *:3000    *:*    users:(("node",pid=1234,fd=21))

$ ps -p 1234 -o cmd
CMD
/usr/bin/node /opt/app/server.js

For frequent checks, create a reusable bash function:


portfinder() {
    if [ -z "$1" ]; then
        echo "Usage: portfinder PORT_NUMBER"
        return 1
    fi
    echo "Processes using port $1:"
    sudo lsof -i :$1 || sudo ss -tulnp | grep :$1
}

When investigating unknown ports:

  • Always verify the process's binary location and permissions
  • Check for suspicious process arguments or network connections
  • Compare against known-good baselines of your system

In containerized environments, you might need to check specific namespaces:


# For Docker containers
docker run --rm -it --net=host nicolaka/netshoot ss -tulnp

# For Kubernetes pods
kubectl exec POD_NAME -- ss -tulnp

When running network scans or troubleshooting services, Linux administrators often encounter unexpected open ports. Just last week, I discovered port 54321 open on one of our production servers with no documentation explaining its purpose. Here's how I tracked it down.

Linux provides several powerful utilities for port investigation:

  • ss (socket statistics) - Modern replacement for netstat
  • lsof (list open files) - Shows processes using files/sockets
  • netstat - Legacy tool, still useful on older systems
  • fuser - Identifies processes using files/sockets

Let's examine each approach with concrete examples.

Method 1: Using ss + grep

# Find processes listening on TCP port 54321
sudo ss -ltnp | grep ':54321'

# Output example:
# LISTEN 0      128          0.0.0.0:54321      0.0.0.0:*    users:(("python3",pid=14230,fd=3))

Method 2: The Powerful lsof Command

# Find process using TCP port 54321
sudo lsof -i :54321

# More detailed version showing process hierarchy:
sudo lsof -i :54321 -a -c sshd -R

Method 3: netstat (for Legacy Systems)

sudo netstat -tulnp | grep ':54321'

Method 4: Using fuser

# For TCP ports:
sudo fuser 54321/tcp

# Output shows PID: 14230
# Then investigate the process:
ps -p 14230 -o comm=

For more complex scenarios, consider these approaches:

Checking All IPv4 and IPv6 Ports

sudo lsof -i -P -n | grep LISTEN

Finding Processes Using UDP Ports

sudo ss -lunp | grep ':161'

Continuous Monitoring

watch -n 2 "ss -tulnp | grep ':54321'"

Last year, I discovered an unauthorized process listening on port 4444. Here's how I investigated:

# First identification
sudo ss -tulnp | grep ':4444'

# Output showed an unknown binary
# Getting full process info:
ps aux | grep 17892

# Located the binary path
ls -la /proc/17892/exe

# Confirmed it was malicious:
md5sum /tmp/.X11-unix/.rsync/c

# Then terminated and reported it
sudo kill -9 17892

To maintain system security:

  • Regularly audit open ports with cron jobs
  • Configure firewall rules to limit exposure
  • Monitor process listening behavior
  • Implement intrusion detection systems

Remember that containerized environments and Kubernetes add complexity - you may need to check both host and container namespaces when investigating ports.