{"id":124,"date":"2008-04-04T10:42:51","date_gmt":"2008-04-04T18:42:51","guid":{"rendered":"http:\/\/jaredrobinson.com\/blog\/?p=124"},"modified":"2009-07-11T04:15:24","modified_gmt":"2009-07-11T04:15:24","slug":"what-programs-are-listening-to-the-network","status":"publish","type":"post","link":"https:\/\/jaredrobinson.com\/blog\/what-programs-are-listening-to-the-network\/","title":{"rendered":"What programs are listening to the network?"},"content":{"rendered":"

Sometimes, I’d like to know what programs on my system are listening to the network, and to quote the Perl motto, “there’s more than one way to do it”. On Linux, there’s `lsof -Pi` and `netstat -p`. On Windows XP and Vista, there’s the built-in `netstat -b[v] -a` and a separate utility called [tcpview](http:\/\/technet.microsoft.com\/en-us\/sysinternals\/bb897437.aspx). I’ve included example usages and outputs.<\/p>\n

__lsof__ (Linux)<\/p>\n

sudo lsof -Pni<\/p>\n

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
\n python 1886 root 4u IPv4 6621 TCP 127.0.0.1:2207 (LISTEN)
\n cupsd 1898 root 3u IPv4 6663 TCP 127.0.0.1:631 (LISTEN)
\n cupsd 1898 root 4u IPv6 6664 TCP [::1]:631 (LISTEN)
\n cupsd 1898 root 6u IPv4 6667 UDP *:631
\n sshd 1912 root 3u IPv4 6711 TCP *:22 (LISTEN)
\n httpd 20084 apache 4u IPv6 7293 TCP *:80 (LISTEN)
\n httpd 20085 apache 4u IPv6 7293 TCP *:80 (LISTEN)
\n httpd 20086 apache 4u IPv6 7293 TCP *:80 (LISTEN)
\n httpd 20087 apache 4u IPv6 7293 TCP *:80 (LISTEN)
\n httpd 20088 apache 4u IPv6 7293 TCP *:80 (LISTEN)
\n httpd 20089 apache 4u IPv6 7293 TCP *:80 (LISTEN)
\n httpd 20090 apache 4u IPv6 7293 TCP *:80 (LISTEN)
\n httpd 20091 apache 4u IPv6 7293 TCP *:80 (LISTEN)<\/p>\n

__netstat__ (Linux)<\/p>\n

sudo netstat -lp –inet –numeric-hosts<\/p>\n

Active Internet connections (only servers)
\n Proto Recv-Q Send-Q Local Address Foreign Address State PID\/Program name
\n tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 1912\/sshd
\n tcp 0 0 127.0.0.1:ipp 0.0.0.0:* LISTEN 1898\/cupsd
\n tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 1886\/python
\n udp 0 0 0.0.0.0:ipp 0.0.0.0:* 1898\/cupsd<\/p>\n

Where’s `httpd`? It should be there, and it is, when I exclude the `–inet` option:<\/p>\n

Proto Recv-Q Send-Q Local Address Foreign Address State PID\/Program name
\n tcp 0 0 :::http :::* LISTEN 2038\/httpd
\n tcp 0 0 ::1:ipp :::* LISTEN 1898\/cupsd<\/p>\n

__TcpView__ (Windows)<\/p>\n

[Download](http:\/\/technet.microsoft.com\/en-us\/sysinternals\/bb897437.aspx) and start TcpView. From the menu, choose File > Save. Here’s the output from the file.<\/p>\n

Process Protocol Local Address Remote Address State
\n svchost.exe:1064 TCP jareds-xp:epmapi jareds-xp:0 LISTENING
\n System:4 TCP jareds-xp:microsoft-ds jareds-xp:0 LISTENING
\n svchost.exe:976 TCP jareds-xp:3389i jareds-xp:0 LISTENING
\n nxssh.exe:2032 TCP jareds-xp:11000 jareds-xp:0 LISTENING<\/p>\n

__netstat__ (Windows)<\/p>\n

Note that this runs quite slowly on Windows.<\/p>\n

netstat -bva<\/p>\n

Active Connections<\/p>\n

Proto Local Address Foreign Address State PID
\n TCP jareds-xp:epmap jareds-xp.mydomain.com:0 LISTENING 1064
\n c:\\windows\\system32\\WS2_32.dll
\n C:\\WINDOWS\\system32\\RPCRT4.dll
\n c:\\windows\\system32\\rpcss.dll
\n C:\\WINDOWS\\system32\\svchost.exe
\n C:\\WINDOWS\\system32\\ADVAPI32.dll
\n [svchost.exe]<\/p>\n

TCP jareds-xp:microsoft-ds jareds-xp.mydomain.com:0 LISTENING 4
\n — unknown component(s) —
\n [System]<\/p>\n

TCP jareds-xp:3389 jareds-xp.mydomain.com:0 LISTENING 976
\n — unknown component(s) —
\n c:\\windows\\system32\\rpcss.dll
\n C:\\WINDOWS\\system32\\svchost.exe
\n C:\\WINDOWS\\system32\\ADVAPI32.dll
\n [svchost.exe]<\/p>\n

TCP jareds-xp:11000 jareds-xp.mydomain.com:0 LISTENING 2032
\n [nxssh.exe]<\/p>\n

TCP jareds-xp:3389 jareds-xp.mydomain.com:0 LISTENING 976
\n — unknown component(s) —
\n c:\\windows\\system32\\rpcss.dll
\n C:\\WINDOWS\\system32\\svchost.exe
\n C:\\WINDOWS\\system32\\ADVAPI32.dll
\n [svchost.exe]<\/p>\n","protected":false},"excerpt":{"rendered":"

Sometimes, I’d like to know what programs on my system are listening to the network, and to quote the Perl motto, “there’s more than one way to do it”. On Linux, there’s `lsof -Pi` and `netstat -p`. On Windows XP and Vista, there’s the built-in `netstat -b[v] -a` and a separate utility called [tcpview](http:\/\/technet.microsoft.com\/en-us\/sysinternals\/bb897437.aspx). I’ve … <\/p>\n

Continue reading “What programs are listening to the network?”<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,9,17,18],"tags":[],"class_list":["post-124","post","type-post","status-publish","format-standard","hentry","category-fedora","category-linux","category-tech","category-windows"],"_links":{"self":[{"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/posts\/124","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/comments?post=124"}],"version-history":[{"count":1,"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/posts\/124\/revisions"}],"predecessor-version":[{"id":392,"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/posts\/124\/revisions\/392"}],"wp:attachment":[{"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/media?parent=124"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/categories?post=124"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/tags?post=124"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}