Identifying the Process on an Open Port

There are several ways to find the process on an open port. As an example, let’s find out which process is running on port 5000. The first attempt could be to use `grep` on the port with ps -ef.

dockeradm@ubuntusrv001:~$ ps -ef|grep 5000
UID PID PPID C STIME TTY TIME CMD
root 80078 79851 0 14:42 ? 00:00:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 5000 -container-ip 172.17.0.2 -container-port 5000
root 80087 79851 0 14:42 ? 00:00:00 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 5000 -container-ip 172.17.0.2 -container-port 5000

dockeradm@ubuntusrv001:~$ ps -ef|grep 5000
UID PID PPID C STIME TTY TIME CMD
root 80078 79851 0 14:42 ? 00:00:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 5000 -container-ip 172.17.0.2 -container-port 5000
root 80087 79851 0 14:42 ? 00:00:00 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 5000 -container-ip 172.17.0.2 -container-port 5000

This approach is only successful if a process receives the port as an argument. This is only the case in a few instances.

LSOF

The lsof command with the -i option followed by :<PORT> displays the processes that are keeping this port open.

💡If you are not the technical user under which the process is running, you will not see any output.

dockeradm@ubuntusrv001:~$ lsof -i :5000

dockeradm@ubuntusrv001:~$ lsof -i :5000

Using sudo or as the user who owns the process, the process name and process ID are displayed:

dockeradm@ubuntusrv001:~$ sudo lsof -i :5000
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
docker-pr 80078 root 4u IPv4 665614 0t0 TCP *:5000 (LISTEN)
docker-pr 80087 root 4u IPv6 660124 0t0 TCP *:5000 (LISTEN)

dockeradm@ubuntusrv001:~$ sudo lsof -i :5000
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
docker-pr 80078 root 4u IPv4 665614 0t0 TCP *:5000 (LISTEN)
docker-pr 80087 root 4u IPv6 660124 0t0 TCP *:5000 (LISTEN)

NETSTAT

netstat also displays the process and port (when logged in as the technical user under which the process is running or as root). If you are not the technical user, the process name will not be displayed.

dockeradm@ubuntusrv001:~$ netstat -tulnp|grep 5000
(Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.)
tcp     0    0  0.0.0.0:5000   0.0.0.0:*   LISTEN   -
tcp6    0    0  :::5000        :::*        LISTEN   - 

dockeradm@ubuntusrv001:~$ netstat -tulnp|grep 5000
(Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.)
tcp     0    0  0.0.0.0:5000   0.0.0.0:*   LISTEN   -
tcp6    0    0  :::5000        :::*        LISTEN   - 

As the user who owns the process, or as root, you can also see the associated process.

dockeradm@ubuntusrv001:~$ sudo netstat -tulnp|grep 5000
tcp   0  0 0.0.0.0:5000 0.0.0.0:* LISTEN 80078/docker-proxy
tcp6  0  0 :::5000        :::*    LISTEN 80087/docker-proxy

dockeradm@ubuntusrv001:~$ sudo netstat -tulnp|grep 5000
tcp   0  0 0.0.0.0:5000 0.0.0.0:* LISTEN 80078/docker-proxy
tcp6  0  0 :::5000        :::*    LISTEN 80087/docker-proxy

Conclusion

netstat always produces output. At least you can see that a process is using the port and its status (CONNECTED/LISTEN/…). Under certain circumstances, ps and lsof will show no results if permissions are insufficient, even though a process is using the port.