How to easily identify socket given a PID on Linux?

mohtashims · April 5, 2017, 6:57pm

I have the PID of a process running on Linux mymac 2.6.18-417.el5 #1 SMP Sat Nov 19 14:54:59 EST 2016 x86_64 x86_64 x86_64 GNU/Linux

I need to get the ip & port i.e socket details of the given PID (32752).

Based on a suggestion on my other thread i tried

bash-3.2$ netstat -anpt | grep ESTABLISHED | grep 32752
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 ::ffff:10.2.228.77:52567    ::ffff:10.2.228.77:14000    ESTABLISHED 32752/java
tcp        0      0 ::ffff:10.2.228.31:38504    ::ffff:10.2.228.50:1528     ESTABLISHED 32752/java
tcp        0      0 ::ffff:10.2.228.31:36035    ::ffff:192.168.28.76:1521   ESTABLISHED 32752/java
tcp        0      0 ::ffff:10.2.228.31:35963    ::ffff:192.168.28.76:1521   ESTABLISHED 32752/java

Based on the output i m not able to figure out which output has the correct socket information as there are multiple entries in the output.

I will also appreciate other easier solutions but i do not wish to use lsof

DukeNuke2 · April 5, 2017, 7:12pm

I don't get this post... You say "Solaris" but the uname output says "Linux". And the question is posted in "Shell Programming and Scripting". Something is a little off here...

mohtashims · April 5, 2017, 7:22pm

Can you change the title to Linux ? Solaris is a typo

drysdalk · April 5, 2017, 7:55pm

Hi,

My take on this would be that all the socket information is correct. A process can have multiple network connections open simultaneously. It can also contain multiple threads within itself, which can themselves have multiple connections open, and so on. So in this case, the process with PID 32752 has all four of those connections open.

mohtashims · April 6, 2017, 1:12am

The process is configured to Listen to only one socket that we connect to using WLST scripts.

Just they way on Solaris gives only one socket for the same Java process using this command

/usr/bin/pfiles $pid 2>/dev/null | /usr/bin/grep AF_INET

I m looking for an equivalent command that gives me single socket information just as the above.

Please suggest.

drysdalk · April 6, 2017, 3:22am

Hi,

Ah, you want to check the listening sockets in that case. That's not what you're doing here. You're looking at all established sockets - in other words, connections between your system and another system.

For listening sockets, the netstat syntax you want is netstat -lnpt , and not netstat -anpt (and of course you don't want to be doing a grep ESTABLISHED either). That will show you just the sockets that are open and listening for incoming connections on your local system.

Hope this helps !

mohtashims · April 6, 2017, 5:41am

This is better but can you tell me how can i extract the ip and port as the output varies from Process to process.

For PID=32538 below is what i get as an ouput

bash-3.2$ netstat -lnpt | grep 32538
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:7666                0.0.0.0:*                   LISTEN      32538/java
tcp        0      0 ::ffff:10.2.228.79:13804    :::*                        LISTEN      32538/java
tcp        0      0 :::38970                    :::*                        LISTEN      32538/java

First Question: Out of the listings above how can i grep for just the ip and port i.e. in this case 10.2.228.79 & 13804 which is the correct ip port we specified in the configuration. I wish i could ignore the other listings in the output above.

Second question: will fd be a better alternative ? if yes, can you tell me how can i get the listen ip & port from fd command?

drysdalk · April 6, 2017, 6:29am

Hi,

The difficult part here would be coming up with a generic solution, since what you need from each netstat output would appear to depend on actual human knowledge of which of the listening ports is the 'correct' one. From a technical perspective, they all are: PID 32538 really is listening on ports 7666 and 38970 on all bound IPs, and on port 13804 on the IP 10.2.228.79 specifically.

So aside from you knowing which of these is the one you want, you'd need some way of identifying something that the ports you're after will actually always have in common, if you want a generic scriptable run-one-command-and-get-the-answer solution. Is there something you would always look for or which would be scriptably identifiable as the signifier of which port was the 'correct' one ? If so, then if you can give a bit more detail we may be able to narrow this down further.

As for the fd command - I've never heard of that one, sorry. Doesn't seem to either be installed or to be an option for installation on any Linux or Solaris system I currently have access to.

drl · April 6, 2017, 11:25am

Hi.

Perhaps:

NAME
       fd - file & directory maintenance tool

SYNOPSIS
       fd  [ -abCefhiklmNnPrSsTtuvx ] [ -NAME=value ] [ directory [ directory2
       ...  ]]
       fdsh [ -abCcefhiklmNnPrSsTtuvx ] [ args ]

DESCRIPTION
       Fd is a file & directory maintenance tool considered for the text  ter-
       minals  on general UNIX.  It aims for a clone of the same named utility
       which is made for the PC/AT compatible machine and PC-9800 series.   In
       fact, it is upper compatible functionally.

See Debian package fdclone:

fd      file & directory maintenance tool (man)
Path    : /usr/bin/fd
Version : - ( /usr/bin/fd, 2014-08-03 )
Type    : ELF 64-bit LSB executable, x86-64, version 1 (SYSV ...)
Help    : probably available with -h

For a system like:

OS, ker|rel, machine: Linux, 3.16.0-4-amd64, x86_64
Distribution        : Debian 8.7 (jessie)

Best wishes ... cheers, drl