Summary
We often need information about a process for troubleshooting and general investigation purposes, but it is not always clear where we can begin to find the things we require. This article covers how to obtain detailed process information by using the process’s listening port number to obtain the PID, and then looking up the PID in procfs.
Solution
We generally know the port number used to connect to any network application of interest. We can acquire the process ID of the application by looking up its port number, and then use the PID to find process details in procfs.
This article assumes you are using a Linux-like shell with procfs available. Most Linux and related operating systems have procfs already implemented - if your OS has a /proc directory you can most likely use this method. Windows systems can obtain procfs under Cygwin. OS X does not come with procfs, although there is a way to add it.
Acquiring the PID via port number
Be aware that if you are not running as an owner of the process, you will not have access to some of this information.
To see all listening ports on the machine, run the following command:
netstat -anp | grep -i listen | grep -iv unix
You will see an output similar to this:
...
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:34799 0.0.0.0:* LISTEN 1455/ecmdrAgent
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
...
The fourth column shows IP address and port a process listens to. Note that we filtered out everything but listening ports. The rightmost column shows the process ID and executable name in the format PID/name.
We can look for a port we use to connect to the application to obtain a process ID and executable name. To find the line for a specific process, run the following command:
netstat -anp | grep -i listen | grep -iv unix | grep
Mac
There is no /proc file system on Mac OS X, at least by default. You can still find a process listening on a given port using lsof:
sudo lsof -i :
The output will look something like this:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
Python 49584 otsvinev 3u IPv4 0xe673a3039aad2c19 0t0 TCP *:8666 (LISTEN)
Obtaining information from the /proc directory
Once we have the process ID, we can obtain extra information about the process using the /proc directory. The directory for any process is located at /proc/. To see what’s in the directory of a process, run:
ls -lah /proc/
Some potentially relevant files and directories in /proc/ are:
cmdline- Command line arguments for the processenviron- Values of environment variablesfd- Directory containing all file descriptors used by the processlimits- Displays the soft limit, hard limit, and units of measurement for each of the process’s resource limits
You can check the proc man page by running man proc on your machine for more detailed information on the files and directories under /proc.
The contents of these files can be viewed using your favorite Linux file output command, such as cat or less.
Examples
Obtaining PID
We will use the Flow server as an example; you can apply this to any agent or other network process as well. We know that by default the Flow server listens on port 8000, so we run:
netstat -anp | grep -i listen | grep -iv unix | grep 8000
We get the following output:
tcp6 0 0 :::8000 :::* LISTEN 970/java
We can see that in this case, 970 is the PID of our application.
Viewing /proc files
Using the previous PID we obtained, we run:
ls -lah /proc/970
Here is a partial output:
...
dr-xr-xr-x 2 vagrant vagrant 0 Feb 17 18:04 attr
-rw-r--r-- 1 vagrant vagrant 0 Feb 17 18:04 autogroup
-r-------- 1 vagrant vagrant 0 Feb 17 18:04 auxv
-r--r--r-- 1 vagrant vagrant 0 Feb 17 18:04 cgroup
--w------- 1 vagrant vagrant 0 Feb 17 18:04 clear_refs
-r--r--r-- 1 vagrant vagrant 0 Feb 17 17:36 cmdline
...
You can use the following command to format the content outputs of cmdline or environ to something more readable. This will split command line parameters and environment variables to present one parameter or variable per line:
cat /proc// | sed -e s/\\x00/\\n/g
or
xargs --null --max-args=1 echo < /proc//
To see all files, pipes and sockets opened by the process, which are stored in directory /proc//fd, run:
ls -la /proc//fd
Applies to
- Product versions: All
- OS versions: Linux
0 Comments