A port in computer networking refers to a communication end point on a particular machine. It is associated with one machine or an IP address and is used as a communication mechanism between two or more machines.
A port is said to be open, when a software is actively using the port either to receive or to send data and/or requests. Often times, there are programs that run all the time (such as services) by actively listening on certain ports for requests. A web server is good example, where a server such as Apache is listening on port 80 for requests from different client machines and serving web pages.
Most times, the software will open and close additional ports as required when it is running.
Many times you might find that there is a particular port open on your machine, but have no idea as to which program or software is using the port. Most well-known services usually use a pre-determined and standard port number (such as 80 for web server, 22 for ssh etc), which makes it easier to guess. But sometimes, you might have changed the default ports or it could actually be a rogue program or process that is using the port.
In order to find what program is using a particular port, you will obviously need to know the port number. Let’s say the port number you are interested in is 3306 and the machine is localhost. You can use any of the following commands to find out which program or process is currently using the port…
nmap (Network Mapper) is a powerful tool available in Linux for network scanning and security auditing. It can be used to probe a particular port in order to get much of the useful information available from the service using the port.
bash$ nmap -sV --reason -A -p 3306 localhost
The following are a small subset of the command line options that is supported by nmap that can be used in this scenario.
-A: This will enable detection of the OS and version and print additional information on the program.
-p: This option enables you to specify a particular port or a range of ports for scanning
–reason: This displays a reason as to why the port is in the current state
-sV: It probes the port to find the service and version information
A sample output of nmap when probed against port 3306 which is running mysql looks like what is shown below…
lsof is a utility that lists all open files in the system. You can use the -i option to further filter the output to just a particular port.
The basic syntax of the command is as shown below
lsof -i :portNumber
You can use the command below to probe the port 3306
bash$ lsof -i :3306
The output will show several useful information about the process using the port, such as the command, the process id and the user id. A sample output is shown below…
mysqld 2702 mysql 11u IPv4 5254 0t0 TCP localhost.localdomain:mysql (LISTEN)
netstat (Network Statistics) is another utility that is usually available in most Linux distros. It is used to print out network connections and routing tables.
bash$ netstat -tulpn
The command line options that are used here are
-t: display TCP connections, donot use this if you want only the UDP ports
-u: display UDP connections
-l: Display listening sockets
-p: Display the process id and the program name
-n: Display numeric address
You can use grep to filter the output to just the port you are interested in
bash$ netstat -tulpn -ee | grep :3306
Unfortunately, netstat is an obsolete program but you should still find it installed in many distros and machines.
Another utility that can be used is called fuser. This outputs the process id that is using the port. The output of this utility is pretty concise compared to others listed above but it will still print out the process id and name which should be useful enough to track down the program or process.
You can use the command line options, -u and -v to make the output to be a little more descriptive.
bash$ fuser -uv 3306/tcp
This is useful when you know the exact port number. If you want to scan and find all ports are currently open on your machine, you can still use the above commands without specifying the port number. It is usually a good idea to scan your machine regularly to make sure that unnecessary ports are not being left open.