Score:6

How to find out what service is listening on a specific port of a Ubuntu server without proccess id?

in flag

I have decided to post this question even though there are a lot of similar questions, but none of them answered mine.

  1. I periodically check the ports my server listens to.
  2. My ubuntu OS by the output of lsb_relase -a:
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.3 LTS
Release:    20.04
Codename:   focal
  1. I run the command netstat -tulpn4 and the output shows an unknown port:
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      580/systemd-resolve 
tcp        0      0 0.0.0.0:62176           0.0.0.0:*               LISTEN      900/sshd: /usr/sbin 
tcp        0      0 0.0.0.0:1122            0.0.0.0:*               LISTEN      1158/sshd: username    
tcp        0      0 0.0.0.0:3333            0.0.0.0:*               LISTEN      1158/sshd: username    
udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           580/systemd-resolve 
udp        0      0 X.X.X.X:1194           0.0.0.0:*                           870/openvpn         
  1. I have used many tools and guides to find out why my server is listening on port 51820 without finding an answer.
  2. I have tried:
    • sudo lsof -i :51820 - and got an empty output.
    • sudo netstat -ltnp | grep -w ':51820' - and got an empty output.
    • sudo fuser 51820/udp - and got an empty output.
    • sudo netstat -peanut | grep ":51820" - the output is:
udp        0      0 0.0.0.0:51820           0.0.0.0:*                           0          26262      -                   
udp6       0      0 :::51820                :::*                                0          26263      - 
  • sudo ss -nlp | grep 51820 the output is:
udp     UNCONN   0        0                                             0.0.0.0:51820                                             0.0.0.0:*                                                                                                     
udp     UNCONN   0        0                                                [::]:51820                                                [::]:*  
  1. I have looked at the following answers and did not find a solution:

After searching the web about port 51820 I found out it is the "wireguard" I have installed that`s listening on that port, but the question remains the same as in any command I have tried I could not find that out.

anx avatar
fr flag
anx
related: [wireguard not listening on port](https://serverfault.com/questions/1015322/the-wireguard-not-listening-on-port-after-started)
CrazyTux avatar
in flag
@anx tnx for your comment, my "wireguard" service is working fine and still the answers in the related post are not solving my problem of detecting the process that cause the specific port listening by a terminal command.
djdomi avatar
za flag
then update the question to be more specific. You walk around your issue you want to having solved.
CrazyTux avatar
in flag
How can i be more specific? I am really trying to get answer to the question title, and i have listed all the solutions i have already tried.
Score:5
cn flag

You're running operating system that implements Wireguard as a kernel module. Your kernel is listening on this port, and since there's no process owning that socket no PID is reported by netstat.

Michael Hampton avatar
cz flag
How do you find out which kernel service is listening to that port?
Peter Zhabin avatar
cn flag
I once spent quite some time digging the kernel code to find out if there is a way to do so and found out that the kernel records a reference to module owning a socket in the kernel socket's `proto_ops` field, but I'm not aware of the userland tools that could dump it.
CrazyTux avatar
in flag
Your answer is great and helped alot, if you will find out how to dump that kernel sockets and edit that to your answer i will aprove it, i voted up for the informative answer.
Michael Hampton avatar
cz flag
@CrazyTux I also looked at this and found out that the kernel does not export this information to userland. I do not think it is possible unless a kernel update provides the functionality somehow.
Score:2
in flag

Genreal:

After a two days search I did around the issue, I found like Michael Hampton and Peter Zhabin that there is no existing solution which shows a kernel process id via a listening port.

In addition during those two days i searched also for some commands combinations that can bring the wanted answer, and found none simple or convenient way to do this.

The solution I created is preliminary and I am sure it can be improved by the community members.

Discounts For Locating The Process

  • The process is running on the kernel level or any other level which avoiding from the process to have an id (PID).
  • The process id or the process program was not found by the output of the given commands: lsof, netstat, ss, fuser.
  • We did found a listening port from the output of the above commands - But the we cannot configure the program or the pid that causing the listening.

About grep:

We will use grep to find more information about the open port.

grep - print lines that match patterns.

From grep man page via man grep command.

DESCRIPTION
grep  searches  for  PATTERNS  in  each  FILE.  PATTERNS is one or more
       patterns separated by newline characters, and  grep  prints  each  line
       that  matches a pattern.  Typically PATTERNS should be quoted when grep
       is used in a shell command.
  • Here is a great topic of how use the command correctly and effectively.

How To Locate The PID Or The Program That Using The Given Port Via grep:

In my case executing sudo grep --exclude-dir={sys,proc} -rnw / -e 51820 | grep -i port solved the issue and showed allot information about the program that using the port.

The given output:

iptables.service:6:ExecStart=/usr/sbin/iptables -I INPUT -p udp --dport 51820 -j ACCEPT
/home/username/wireguard-install.sh:238:    read -p "Port [51820]: " port
/home/username/wireguard-install.sh:241:        read -p "Port [51820]: " port
/home/username/wireguard-install.sh:243:    [[ -z "$port" ]] && port="51820"
/usr/share/doc/netplan/examples/wireguard.yaml:9:      port: 51820
/etc/wireguard/wg0.conf:8:ListenPort = 51820
/etc/systemd/system/wg-iptables.service:6:ExecStart=/usr/sbin/iptables -I INPUT -p udp --dport 51820 -j ACCEPT
/etc/systemd/system/wg-iptables.service:10:ExecStop=/usr/sbin/iptables -D INPUT -p udp --dport 51820 -j ACCEPT

The reason for the many flags is that other combinations i have tried had a large amount of unwanted output.

What The Arguments Of grep Command Stands For:

  • --exclude-dir - Skip any command-line directory with a name suffix that matches the pattern.

And specific ignoring sys and proc directories in our specific case is to avoid unwanted output.

Example: grep --exclude-dir={dir1,dir2} will avoid dir1 and dir2 during the search.

  • -r or -R is recursive.
  • -n is line number.
  • -w stands for match the whole word.
  • / stands for the "highest" directory to start the search from top to bottom.
  • -e - is the pattern used during the search.
  • 51820 in our specific case is the port number that was found by one of the network monitoring command above.
  • | - is the pipe to redirect the output of the first command part to the second one.

In our case: redirecting sudo grep --exclude-dir={sys,proc} -rnw / -e 51820 output to the next command grep -i port

  • -i - Ignore case distinctions in patterns and input data, so that characters that differ only in case match each other.
  • port - Found in order to narrow the results to the purpose for which we performed the search, finding more information about the specific port that was defined after the -e flag.

Tips:

  • Make the scan largest as possible in the first steps by starting from the / directory, and using minimum flags to filter the output, to ensure you won`t miss any detail which we could achieve.
  • After finding the wanted output or having problems with finding the wanted output caused by allot of unwanted output, start adding flags one by one.
  • Specify the port number as the pattern, after all this is our starting point and our ending goal.
  • Use double grep commands redirecting the first scan into port pattern filter, it can pinpoint us and speed up the solution, after all we are looking for a number as a pattern and this can lead to many unwanted results.
  • If you cannot get into conclusions with the given output, make a search over the web with a chosen key-words that you have found.
vg flag
This will work for applications that use a specific port with each invocation and is listed in configuration files and such. However, NFS uses random port numbers (by default) on each invocation. See this post for more info: https://serverfault.com/a/311127/143731.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.