[TriLUG] which process is listening on this socket

Steve Holton sph0lt0n at gmail.com
Wed Feb 29 16:24:49 EST 2012


Thanks, Aaron.

You are correct, the installed (stock) netstat doesn't support the -p
option.

Thanks for the suggestions. The system is live so I can't use
break-and-destroy,
otherwise I might also consider 'fuzz' testing the port, and see what fails
or who complains.

But I hadn't thought of looking at who's talking to whom until now.
There may be some interesting info available through wireshark...

Still open to suggestions, but thanks to those who've responded so far.


On Wed, Feb 29, 2012 at 3:46 PM, Aaron Joyner <aaron at joyner.ws> wrote:

> I started to reply w/ the -ap suggestion earlier, with the caveat that
> if you really meant what you said (SysV) it probably isn't an arg in
> that old a version.  Others beat me to the punch while I was typing.
> I'm going to assume it's not a fixed port that's listed in
> /etc/services.
>
> Depending on what this system is doing, you might be able to use a few
> more interesting / brute-force options that won't require you to get a
> working build environment going... but these ideas aren't valid on a
> live serving system.  Here goes:
> 1) The simplest and most direct method would be to kill pids in a loop
> until you kill the pid that causes the LISTEN to disappear.
> 2) Bring the system down to single user mode, gradually spin through
> the init scripts by hand until the LISTEN returns.
> 3) If the port is fixed (ie. not dynamically allocated), grep for it
> in the startup scripts and the binaries.  It's got to be specified
> somewhere, although depending on the number of significant digits this
> might be a needle-in-a-haystack problem (for example, finding that
> OpenSSH listens on port 22 that way is a nonstarter... finding IRC on
> 6667 is a bit more practical, some custom daemon on port 31895 might
> be easier still).
>
> Good luck!
> Aaron S. Joyner
>
>
> On Wed, Feb 29, 2012 at 3:14 PM, Steve Holton <sph0lt0n at gmail.com> wrote:
> > On Wed, Feb 29, 2012 at 2:37 PM, Alexey Toptygin <alexeyt at freeshell.org
> >wrote:
> >
> >> Not literally SVR4, but a descendant, surely? What's the exact system?
> >
> >
> > sholton at rtpfvme1> uname -a
> > UNIX_System_V rtpfvme1 4.0 R40V4.4 m88k mc88110
> >
> > Yes, literally.
> >
> > I'm looking into recreating a build environment, but autoconf wants a
> sane
> > 'grep'
> > and now we're 3 steps from hunting a socket user....
> >
> > (Funny, at one time I wanted to be an archaeologist when I grew up...)
> >
>

-- 
Steve Holton
sph0lt0n at gmail.com



More information about the TriLUG mailing list