We often need information about a process for troubleshooting and general investigation purposes, but it is not always clear where we can begin to find the things we require. This article covers how to obtain detailed process information by using the process’s listening port number to obtain the PID, and then looking up the PID in procfs.
We generally know the port number used to connect to any network application of interest. We can acquire the process ID of the application by looking up its port number, and then use the PID to find process details in procfs.
This article assumes you are using a Linux-like shell with
procfs available. Most Linux and related operating systems have
procfs already implemented - if your OS has a
/proc directory you can most likely use this method. Windows systems can obtain
procfs under Cygwin. OS X does not come with
procfs, although there is a way to add it.
Be aware that if you are not running as an owner of the process, you will not have access to some of this information.
To see all listening ports on the machine, run the following command:
netstat -anp | grep -i listen | grep -iv unix
You will see an output similar to this:
... tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:34799 0.0.0.0:* LISTEN 1455/ecmdrAgent tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - ...
The fourth column shows IP address and port a process listens to. Note that we filtered out everything but listening ports. The rightmost column shows the process ID and executable name in the format
We can look for a port we use to connect to the application to obtain a process ID and executable name. To find the line for a specific process, run the following command:
netstat -anp | grep -i listen | grep -iv unix | grep
There is no
/proc file system on Mac OS X, at least by default. You can still find a process listening on a given port using
sudo lsof -i :
The output will look something like this:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME Python 49584 otsvinev 3u IPv4 0xe673a3039aad2c19 0t0 TCP *:8666 (LISTEN)
Once we have the process ID, we can obtain extra information about the process using the
/proc directory. The directory for any process is located at
/proc/. To see what’s in the directory of a process, run:
ls -lah /proc/
Some potentially relevant files and directories in
cmdline- Command line arguments for the process
environ- Values of environment variables
fd- Directory containing all file descriptors used by the process
limits- Displays the soft limit, hard limit, and units of measurement for each of the process’s resource limits
You can check the proc man page by running
man proc on your machine for more detailed information on the files and directories under
The contents of these files can be viewed using your favorite Linux file output command, such as
We will use the Flow server as an example; you can apply this to any agent or other network process as well. We know that by default the Flow server listens on port 8000, so we run:
netstat -anp | grep -i listen | grep -iv unix | grep 8000
We get the following output:
tcp6 0 0 :::8000 :::* LISTEN 970/java
We can see that in this case, 970 is the PID of our application.
Using the previous PID we obtained, we run:
ls -lah /proc/970
Here is a partial output:
... dr-xr-xr-x 2 vagrant vagrant 0 Feb 17 18:04 attr -rw-r--r-- 1 vagrant vagrant 0 Feb 17 18:04 autogroup -r-------- 1 vagrant vagrant 0 Feb 17 18:04 auxv -r--r--r-- 1 vagrant vagrant 0 Feb 17 18:04 cgroup --w------- 1 vagrant vagrant 0 Feb 17 18:04 clear_refs -r--r--r-- 1 vagrant vagrant 0 Feb 17 17:36 cmdline ...
You can use the following command to format the content outputs of
environ to something more readable. This will split command line parameters and environment variables to present one parameter or variable per line:
cat /proc// | sed -e s/\\x00/\\n/g
xargs --null --max-args=1 echo < /proc//
To see all files, pipes and sockets opened by the process, which are stored in directory
ls -la /proc//fd
- Product versions: All
- OS versions: Linux