Help & Support
Service detection on a Unix box with lsof
# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME syslogd 80 root 1u inet 0x00093214 0t0 UDP *:syslog portmap 111 bin 3u inet 0x019ec60c 0t0 UDP *:sunrpc portmap 111 bin 4u inet 0x019ec410 0t0 TCP *:sunrpc ypbind 127 root 4u inet 0x00093dfc 0t0 UDP *:728 ypbind 127 root 5u inet 0x019ec808 0t0 TCP *:730 ypbind 129 root 4u inet 0x00093dfc 0t0 UDP *:728 ypbind 129 root 5u inet 0x019ec808 0t0 TCP *:730 ypbind 129 root 8u inet 0x00de760c 0t0 UDP *:737 inetd 138 root 4u inet 0x019ec018 0t0 TCP *:echo inetd 138 root 5u inet 0x019eca04 0t0 UDP *:echo inetd 138 root 6u inet 0x019ecc00 0t0 TCP *:discard inetd 138 root 7u inet 0x019ecdfc 0t0 UDP *:discard inetd 138 root 8u inet 0x018f1018 0t0 TCP *:daytime inetd 138 root 9u inet 0x018f1214 0t0 UDP *:daytime inetd 138 root 10u inet 0x018f1410 0t0 TCP *:chargen inetd 138 root 11u inet 0x018f160c 0t0 UDP *:chargen inetd 138 root 12u inet 0x018f1808 0t0 TCP *:ftp inetd 138 root 13u inet 0x018f1a04 0t0 TCP *:telnet inetd 138 root 14u inet 0x018f1c00 0t0 TCP *:gopher inetd 138 root 15u inet 0x018f1dfc 0t0 TCP *:shell inetd 138 root 16u inet 0x0191f018 0t0 TCP *:login inetd 138 root 17u inet 0x0191f214 0t0 TCP *:exec inetd 138 root 18u inet 0x0191f410 0t0 UDP *:talk inetd 138 root 19u inet 0x0191f60c 0t0 UDP *:ntalk inetd 138 root 20u inet 0x0191f808 0t0 TCP *:pop-2 inetd 138 root 21u inet 0x0191fa04 0t0 TCP *:pop-3 inetd 138 root 22u inet 0x0191fc00 0t0 TCP *:imap inetd 138 root 23u inet 0x0191fdfc 0t0 TCP *:finger inetd 138 root 24u inet 0x018fd018 0t0 TCP *:time inetd 138 root 25u inet 0x018fd214 0t0 UDP *:time rpc.mount 149 root 0u inet 0x018fddfc 0t0 UDP *:754 rpc.mount 149 root 3u inet 0x018fd60c 0t0 UDP *:749 rpc.mount 149 root 4u inet 0x018fd808 0t0 TCP *:751 rpc.nfsd 158 root 0u inet 0x018b5214 0t0 UDP *:763 rpc.nfsd 158 root 3u inet 0x018fda04 0t0 UDP *:nfs rpc.nfsd 158 root 4u inet 0x018fdc00 0t0 TCP *:2049 amd 173 root 4u inet 0x018b5a04 0t0 UDP *:1023 amd 173 root 5u inet 0x018b5c00 0t0 UDP *:774 amd 173 root 6u inet 0x018b5dfc 0t0 UDP *:1022 amd 173 root 7u inet 0x0188d410 0t0 UDP *:778 exim 182 exim 0u inet 0x0188dc00 0t0 TCP *:smtp xdm 202 root 4u inet 0x016f4a04 0t0 UDP *:177 xdm 202 root 5u inet 0x016f4c00 0t0 TCP *:1100 X 206 root 0u inet 0x016f4dfc 0t0 TCP *:6000 X 206 root 5u inet 0x016f4c00 0t0 TCP *:1100 X 206 root 7u inet 0x012b7dfc 0x2baefcf7 TCP medusa.csi.cam.ac.uk:6000->ursa.cus.cam.ac.uk:49116 X 206 root 9u inet 0x0124d60c 0x7111afc7 TCP localhost:6000->localhost:1118 X 206 root 10u inet 0x0124d214 0x29c3392b TCP localhost:6000->localhost:1119 X 206 root 11u inet 0x0124da04 0xdf1bf845 TCP medusa.csi.cam.ac.uk:6000->taurus.cus.cam.ac.uk:48174 X 206 root 12u inet 0x0124d808 0xc6bf0e48 TCP localhost:6000->localhost:1121 X 206 root 13u inet 0x0124dc00 0x4ccc7bd3 TCP medusa.csi.cam.ac.uk:6000->taurus.cus.cam.ac.uk:48219 X 206 root 14u inet 0x012b7214 0x65327911 TCP medusa.csi.cam.ac.uk:6000->griffin.csi.cam.ac.uk:57761 X 206 root 15u inet 0x018b5410 0xbf857bc TCP medusa.csi.cam.ac.uk:6000->taurus.cus.cam.ac.uk:48415 X 206 root 16u inet 0x0124d018 0x1e9ab33e TCP medusa.csi.cam.ac.uk:6000->nymph.csi.cam.ac.uk:38624 X 206 root 17u inet 0x012b7c00 0x92c0298 TCP medusa.csi.cam.ac.uk:6000->nymph.csi.cam.ac.uk:38639 X 206 root 18u inet 0x012b7808 0x833c065e TCP medusa.csi.cam.ac.uk:6000->griffin.csi.cam.ac.uk:57781 X 206 root 19u inet 0x012b7a04 0xf9b24ac2 TCP localhost:6000->localhost:1193 xdm 207 root 5u inet 0x016f4c00 0t0 TCP *:1100 xdm 207 root 6u inet 0x01609dfc 0t0 UDP *:808 xconsole 212 root 5u inet 0x016f4c00 0t0 TCP *:1100 .xsession 215 rjd4 5u inet 0x016f4c00 0t0 TCP *:1100 .xsession 215 rjd4 6u inet 0x01609dfc 0t0 UDP *:808 xclock 250 rjd4 3u inet 0x01609808 0x4d381449 TCP localhost:1118->localhost:6000 fvwm 251 rjd4 3u inet 0x012b7018 0xbf0bf416 TCP localhost:1119->localhost:6000 fvwm 251 rjd4 5u inet 0x016f4c00 0t0 TCP *:1100 fvwm 251 rjd4 6u inet 0x01609dfc 0t0 UDP *:808 FvwmPager 253 rjd4 3u inet 0x0124d410 0x573fd21c TCP localhost:1121->localhost:6000 FvwmPager 253 rjd4 5u inet 0x016f4c00 0t0 TCP *:1100 FvwmPager 253 rjd4 6u inet 0x01609dfc 0t0 UDP *:808 xterm 419 rjd4 3u inet 0x019ec214 0x5ad1421f TCP localhost:1193->localhost:6000 xterm 419 rjd4 5u inet 0x016f4c00 0t0 TCP *:1100 xterm 419 rjd4 6u inet 0x01609dfc 0t0 UDP *:808 su 428 root 3u inet 0x012b7410 0t0 UDP *:605
Now that was every single network connection on the system. We are only interested in the listeners. These show up as *: followed by the port number or service name if known. If we look for those lines containing *: we can restrict output to just the listeners.
# lsof -i | grep '*:' syslogd 80 root 1u inet 0x00093214 0t0 UDP *:syslog portmap 111 bin 3u inet 0x019ec60c 0t0 UDP *:sunrpc portmap 111 bin 4u inet 0x019ec410 0t0 TCP *:sunrpc ypbind 127 root 4u inet 0x00093dfc 0t0 UDP *:728 ypbind 127 root 5u inet 0x019ec808 0t0 TCP *:730 ypbind 129 root 4u inet 0x00093dfc 0t0 UDP *:728 ypbind 129 root 5u inet 0x019ec808 0t0 TCP *:730 ypbind 129 root 8u inet 0x00de760c 0t0 UDP *:737 inetd 138 root 4u inet 0x019ec018 0t0 TCP *:echo inetd 138 root 5u inet 0x019eca04 0t0 UDP *:echo inetd 138 root 6u inet 0x019ecc00 0t0 TCP *:discard inetd 138 root 7u inet 0x019ecdfc 0t0 UDP *:discard inetd 138 root 8u inet 0x018f1018 0t0 TCP *:daytime inetd 138 root 9u inet 0x018f1214 0t0 UDP *:daytime inetd 138 root 10u inet 0x018f1410 0t0 TCP *:chargen inetd 138 root 11u inet 0x018f160c 0t0 UDP *:chargen inetd 138 root 12u inet 0x018f1808 0t0 TCP *:ftp inetd 138 root 13u inet 0x018f1a04 0t0 TCP *:telnet inetd 138 root 14u inet 0x018f1c00 0t0 TCP *:gopher inetd 138 root 15u inet 0x018f1dfc 0t0 TCP *:shell inetd 138 root 16u inet 0x0191f018 0t0 TCP *:login inetd 138 root 17u inet 0x0191f214 0t0 TCP *:exec inetd 138 root 18u inet 0x0191f410 0t0 UDP *:talk inetd 138 root 19u inet 0x0191f60c 0t0 UDP *:ntalk inetd 138 root 20u inet 0x0191f808 0t0 TCP *:pop-2 inetd 138 root 21u inet 0x0191fa04 0t0 TCP *:pop-3 inetd 138 root 22u inet 0x0191fc00 0t0 TCP *:imap inetd 138 root 23u inet 0x0191fdfc 0t0 TCP *:finger inetd 138 root 24u inet 0x018fd018 0t0 TCP *:time inetd 138 root 25u inet 0x018fd214 0t0 UDP *:time inetd 138 root 26u inet 0x018fd410 0t0 UDP *:re-mail-ck rpc.mount 149 root 0u inet 0x018fddfc 0t0 UDP *:754 rpc.mount 149 root 3u inet 0x018fd60c 0t0 UDP *:749 rpc.mount 149 root 4u inet 0x018fd808 0t0 TCP *:751 rpc.nfsd 158 root 0u inet 0x018b5214 0t0 UDP *:763 rpc.nfsd 158 root 3u inet 0x018fda04 0t0 UDP *:nfs rpc.nfsd 158 root 4u inet 0x018fdc00 0t0 TCP *:2049 amd 173 root 4u inet 0x018b5a04 0t0 UDP *:1023 amd 173 root 5u inet 0x018b5c00 0t0 UDP *:774 amd 173 root 6u inet 0x018b5dfc 0t0 UDP *:1022 amd 173 root 7u inet 0x0188d410 0t0 UDP *:778 exim 182 exim 0u inet 0x0188dc00 0t0 TCP *:smtp xdm 202 root 4u inet 0x016f4a04 0t0 UDP *:177 xdm 202 root 5u inet 0x016f4c00 0t0 TCP *:1100 X 206 root 0u inet 0x016f4dfc 0t0 TCP *:6000 X 206 root 5u inet 0x016f4c00 0t0 TCP *:1100 xdm 207 root 5u inet 0x016f4c00 0t0 TCP *:1100 xdm 207 root 6u inet 0x01609dfc 0t0 UDP *:808 xconsole 212 root 5u inet 0x016f4c00 0t0 TCP *:1100 .xsession 215 rjd4 5u inet 0x016f4c00 0t0 TCP *:1100 .xsession 215 rjd4 6u inet 0x01609dfc 0t0 UDP *:808 fvwm 251 rjd4 5u inet 0x016f4c00 0t0 TCP *:1100 fvwm 251 rjd4 6u inet 0x01609dfc 0t0 UDP *:808 FvwmPager 253 rjd4 5u inet 0x016f4c00 0t0 TCP *:1100 FvwmPager 253 rjd4 6u inet 0x01609dfc 0t0 UDP *:808 xterm 419 rjd4 5u inet 0x016f4c00 0t0 TCP *:1100 xterm 419 rjd4 6u inet 0x01609dfc 0t0 UDP *:808 su 428 root 3u inet 0x012b7410 0t0 UDP *:605
lsof identifies the program (first column), the process id (second column), the owner of the program (third column) and the port in use (last two columns). The other columns are not relevant to this discussion. Note that all the services that are started up by inetd are identified as such.
Getting lsof
lsof is an awsomely useful progrm. Therefore it should come as no surprise that no vendor ships it as standard and you have to compile it up yourself. The latest release is always available by FTP from vic.cc.purdue.edu in the directory /pub/tools/unix/lsof. Unix Support can help with its compilation if you have difficulties.