Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides
https://forum.ivorde.com/

FreeBSD find pid that opened TCP/UDP socket without lsof using address of protocol control block(PCB
https://forum.ivorde.com/freebsd-find-pid-that-opened-tcp-udp-socket-without-lsof-using-address-of-protocol-control-block-pcb-t15891.html
Page 1 of 1

Author:  mandrei99 [ Wed Dec 11, 2013 4:56 am ]
Post subject:  FreeBSD find pid that opened TCP/UDP socket without lsof using address of protocol control block(PCB

FreeBSD find pid that opened TCP/UDP socket without lsof using address of protocol control block(PCB)

LSOF (list open files) is a useful tool coming from Linux world that can show file descriptors, socket information and much more. It does not come by default in FreeBSD and can be installed from ports or source.

If "lsof" is not installed, another way of finding the process ID of the process that opened a TCP or UDP socket is by using the Protocol Control Block (PCB) and "netstat" and "fstat" commands that are both part of the FreeBSD base system.

Find the PCB of an open port using netstat:
Code:
# netstat -Aanf inet | grep 22
c2de3910 tcp4       0      0 *.22               *.*                LISTEN


The output is the PCB,protocol , rec/send Queues, local address and foreign address.

Now let's find the process associated to this PCB:
Code:
# fstat | grep c2de3910
root     sshd       87382    3* internet stream tcp c2de3910
# ps alxw | grep -v grep | grep  87382
    0 68846 87382   0  44  0  8344  2928 select Ss    ??    0:00.16 sshd: root@ttyp0 (sshd)
    0 70595 87382   0  44  0  8344  2928 select Ss    ??    0:00.24 sshd: root@ttyp1 (sshd)
    0 87382     1   0  44  0  5784  2184 select Is    ??    0:01.96 /usr/sbin/sshd


Obviously, SSH.

Page 1 of 1 All times are UTC - 5 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/