What programs are listening to the network?

Posted on by

Sometimes, I’d like to know what programs on my system are listening to the network, and to quote the Perl motto, “there’s more than one way to do it”. On Linux, there’s lsof -Pi and netstat -p. On Windows XP and Vista, there’s the built-in netstat -b[v] -a and a separate utility called tcpview. I’ve included example usages and outputs.

lsof (Linux)

sudo lsof -Pni

COMMAND     PID    USER   FD   TYPE DEVICE SIZE NODE NAME
python     1886    root    4u  IPv4   6621       TCP 127.0.0.1:2207 (LISTEN)
cupsd      1898    root    3u  IPv4   6663       TCP 127.0.0.1:631 (LISTEN)
cupsd      1898    root    4u  IPv6   6664       TCP [::1]:631 (LISTEN)
cupsd      1898    root    6u  IPv4   6667       UDP *:631
sshd       1912    root    3u  IPv4   6711       TCP *:22 (LISTEN)
httpd     20084  apache    4u  IPv6   7293       TCP *:80 (LISTEN)
httpd     20085  apache    4u  IPv6   7293       TCP *:80 (LISTEN)
httpd     20086  apache    4u  IPv6   7293       TCP *:80 (LISTEN)
httpd     20087  apache    4u  IPv6   7293       TCP *:80 (LISTEN)
httpd     20088  apache    4u  IPv6   7293       TCP *:80 (LISTEN)
httpd     20089  apache    4u  IPv6   7293       TCP *:80 (LISTEN)
httpd     20090  apache    4u  IPv6   7293       TCP *:80 (LISTEN)
httpd     20091  apache    4u  IPv6   7293       TCP *:80 (LISTEN)

netstat (Linux)

sudo netstat -lp --inet --numeric-hosts

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address    Foreign Address  State   PID/Program name
tcp        0      0 0.0.0.0:ssh      0.0.0.0:*        LISTEN  1912/sshd
tcp        0      0 127.0.0.1:ipp    0.0.0.0:*        LISTEN  1898/cupsd
tcp        0      0 127.0.0.1:2207   0.0.0.0:*        LISTEN  1886/python
udp        0      0 0.0.0.0:ipp      0.0.0.0:*                1898/cupsd

Where’s httpd? It should be there, and it is, when I exclude the --inet option:

Proto Recv-Q Send-Q Local Address    Foreign Address  State   PID/Program name
tcp        0      0 :::http          :::*             LISTEN  2038/httpd
tcp        0      0 ::1:ipp          :::*             LISTEN  1898/cupsd

TcpView (Windows)

Download and start TcpView. From the menu, choose File > Save. Here’s the output from the file.

Process           Protocol Local Address            Remote Address   State
svchost.exe:1064  TCP      jareds-xp:epmapi         jareds-xp:0      LISTENING
System:4          TCP      jareds-xp:microsoft-ds   jareds-xp:0      LISTENING
svchost.exe:976   TCP      jareds-xp:3389i          jareds-xp:0      LISTENING
nxssh.exe:2032    TCP      jareds-xp:11000          jareds-xp:0      LISTENING

netstat (Windows)

Note that this runs quite slowly on Windows.

netstat -bva

Active Connections

Proto  Local Address          Foreign Address        State           PID
TCP    jareds-xp:epmap  jareds-xp.mydomain.com:0  LISTENING       1064
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ADVAPI32.dll
[svchost.exe]

TCP    jareds-xp:microsoft-ds  jareds-xp.mydomain.com:0  LISTENING       4
-- unknown component(s) --
[System]

TCP    jareds-xp:3389  jareds-xp.mydomain.com:0  LISTENING 976
-- unknown component(s) --
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ADVAPI32.dll
[svchost.exe]

TCP    jareds-xp:11000  jareds-xp.mydomain.com:0  LISTENING       2032
[nxssh.exe]

TCP    jareds-xp:3389  jareds-xp.mydomain.com:0  LISTENING 976
-- unknown component(s) --
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ADVAPI32.dll
[svchost.exe]

Comments are closed.