SUMMARY: Investigating processes on open ports

From: Mumdziev, Marijan <>
Date: Wed Dec 13 2006 - 12:15:32 EST
Hello all,

here is the summary for issue: "Investigating processes on open ports".
Following expressions can be used in order to solve this problem:

	Listing all the pids:
		/usr/bin/ps -ef | sed 1d | awk '{print $2}' (

	Mapping the files to ports using the PID:
		/usr/proc/bin/pfiles <PID> 2>/dev/null |
/usr/xpg4/bin/grep <PID>
		/usr/bin/ps -o pid -o args -p <PID> | sed 1d

	Mapping the sockname to port using the port number:
		for i in `ps -e|awk '{print $1}'`; do echo $i; pfiles $i
2>/dev/null | grep 'port: 8080'; done
		pfiles -F /proc/* | nawk '/^[0-9]+/ { proc=$2} ;
/[s]ockname: AF_INET/ { print proc "\n " $0 }'

	There were two explanations why "lsof" did not show, what was

		1) One thing that might prevent lsof to print all, is if
the ports are controlled by inetd
		   or some such (i.e. there is nothing actively
listening on them until you try talking to them).

		   Also, try telneting to the port and then run lsof
while the telnet session is connected.

		2) On Solaris 10, using "lsof -i" to show mapping of
processes to TCP ports incorrectly shows all
		   processes that have socket open as using port 65535,
for example:

			sshd       8005   root    8u  IPv4 0x60007ebdac0
0t0  TCP *:65535
			sendmail   1116   root    5u  IPv4 0x60007ecce00
0t0  TCP *:65535

			This is a known bug in lsof that can _not_ be
fixed because of differences between Solaris 10
		    and previous versions. So the useful "lsof -i
:<port>" is now not useful.

Many thanks to all of you who gave prompt and useful advices.

Kind Regards,
Marijan Mumdziev

From: on behalf of Mumdziev, Marijan
Sent: Tue 12/12/2006 11:58
Subject: Investigating processes on open ports


I was installing jboss 3.2.6. on Solaris 10 SPARC (Sun Netra 100). After
installation jboss could not start as some of the needed ports were
already opened. I tried to evaluate who uses the open ports with
following steps:

1) Jboss reports that he need three ports which are already in use:
1098, 4444, 8080.

2) I try to telnet to these ports and I see that really some process is
listening on these ports.

3) I am using netstat to gain some more information about listener on
specific ports: 8080, 4444, 1098. This is what I get:

bash# netstat -an|grep 8080
*.8080 *.* 0 0 49152 0 LISTEN
bash# netstat -an|grep 4444
*.4444 *.* 0 0 49152 0 LISTEN
bash# netstat -an|grep 1098
*.1098 *.* 0 0 49152 0 LISTEN

4) I am trying to find out a little bit more with command
/usr/local/bin/lsof -i :8080 (4444, 1098), but I do not get any output
for these ports.

5) Now I am checking configuration files under /etc and I am searching
for configuration file that contains string 4444 or 1098. I do not
execute the check for 8080 port, as in the meantime I have found out
that this port is used by Oracle-MTS.

I am using following command:
bash# find . -name '*' -a -type f -exec grep 1098 \{} \;

I do not get any output, meaning, no configuration file contains strings
which could lead me to some connection to our ports.

6) For the port 1098, I think it is used by sun cluster manager
rmiactivation, but I am not sure. Could be Oracle uses this port as

Nevertheless, I did not get any information about the process which uses
these open ports. Eventually I got an impression that all three ports
are used by Oracle 10g.
How will I find out more information about which processes (PID) is
currently using these open ports?

Thank you very much for your prompt answer.
Best regards,

Marijan Mumdziev

P.S. "I need to get this machine working as soon as possible. Please
help!  Send email and I will summarize to the list. :)"
sunmanagers mailing list
sunmanagers mailing list
Received on Wed Dec 13 12:16:36 2006

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:03 EST