ansaurus

Question

how do I find out what program's on the other end of a local socket?

Answer 1

+4 A:

Does netstat -p help ?

From Manpage:

  -p,
  --program Show the PID and name of the program to which each socket belongs.

HaBaLeS 2009-05-04 16:29:03

Unfortunately, this is busybox netstat, so it doesn't support -p. But node 11085 only turns up in the netstat output once anyway, so it seems that it only belongs to the process I already know about.

daf 2009-05-04 16:59:08

@daf you should mention the use of busybox in your question (and maybe in a tag, too)

lothar 2009-05-05 01:04:18

Answer 2

A:

If for some reason you have no luck with the appropriate lsof and netstat options, you can also do the following:

find /proc -lname '*11085*' 2> /dev/null

efficientjelly 2009-05-04 16:36:34

Cunning! As the system only has busybox find, -lname doesn't work, but we can emulate it:$ for i in `find /proc -type l`; do readlink "$i" | grep -q 11085 done/proc/1892/task/1892/fd/10/proc/1892/fd/10So, only the original process comes up.

daf 2009-05-04 17:05:02

Answer 3

A:

sigjuice 2009-05-04 18:03:27

I'm already running it as root.

daf 2009-05-04 19:36:38

Answer 4

+1 A:

How about this: grep 11085 /proc/net/unix. Assuming there is a non-empty path present on the line with the inode you're interested in, grep for that path in /proc/net/unix to find the the inode for the other end of the connection, then use efficientjelly's method to map the other inode to a pid.

A key point here is the fact that the two connected sockets will each have a different inode number.

Lance Richardson 2009-05-05 21:50:51

Cunning! I didn't know about /proc/net/unix. Sadly, there isn't a path associated with this socket.

daf 2009-05-27 15:22:02

Answer 5

A:

Simply Just print the socket object also u can use socket.getRemotePort()

Thanks Bapi

Deepak 2009-05-22 13:15:59

Answer 6

A:

The reply from lsof author is seven years old. Is it still not possible to get this information from Linux kernel?

FWIW lsof on RHEL5 shows some memory address in the DEVICE column. According to lsof(8) this might be "a kernel reference address that identifies the file (The kernel reference address may be used for FIFO's, for example.)". Is there any to resolve this address into details about the pipe?

oliver 2010-09-21 09:25:58

Answer 7

A:

Looks like if you're really desperate, you can get that information directly from Linux kernel memory by using some kernel debugger. With RHEL5's "crash" tool:

get uncompressed vmlinux image (eg. install kernel-debuginfo rpm, or extract vmlinux file from that rpm)
run "crash /path/to/vmlinux"
"net -s 12345" lists all sockets for PID 12345
find the interesting socket (has to be of family/type "UNIX:STREAM"), and note its "SOCK" value:
- PID: 12345 TASK: e903d000 CPU: 0 COMMAND: "someapp"
- FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
- 36 cadd0240 c8a64040 UNIX:STREAM
you now have the address of the unix_sock struct for this socket
- basically, unix_sock.peer.name is the name structure of the other end of the socket
- print it with "p ((*((struct unix_sock*)( (struct unix_sock*)0xc8a64040)->peer)).addr).name"

Really sad that this information is not directly exported to userspace.

oliver 2010-09-21 15:33:00

ansaurus

tags:

views:

answers:

how do I find out what program's on the other end of a local socket?

related questions