Contents
Check the port status of Linux
The "IP address" is used to identify which computer on the network you are connecting to, and the "port number" is needed to identify which program running on that computer you are accessing.
The port number is a 16-bit integer and ranges from 0 to 65535.
To check which ports are waiting for a connection in Linux, use the ss command or netstat command.
●well-known ports
Port numbers (0-1023) are reserved in advance for well-known services and protocols used in TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).
Typical port numbers
| TCP 20 | FTP ( data transfer port) |
| TCP 21 | FTP ( control port) |
| TCP 22 | SSH |
| TCP 23 | Telnet |
| TCP 25 | SMTP |
| UDP 53 | DNS |
| UDP 67 | DHCP(server) |
| UDP 68 | DHCP(Client) |
| TCP 80 | HTTP |
| TCP 110 | POP3 |
| UDP 123 | NTP |
| TCP 443 | HTTPS |
Use the ss command to check which ports are waiting to be connected.
●Options for the ss command
| -a | Show all socket |
| -n | Display without converting to service name |
| -t | Display TCP information only |
| -u | Display UDP information only |
●Show only TCP ports
Run the ss command with the option "-atn".
| [root@Lion ~]# ss -atn State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 127.0.0.1:10024 *:* LISTEN 0 100 127.0.0.1:10025 *:* LISTEN 0 100 *:587 *:* LISTEN 0 64 *:38861 *:* LISTEN 0 100 *:110 *:* LISTEN 0 100 *:143 *:* LISTEN 0 128 127.0.0.1:783 *:* LISTEN 0 128 *:111 *:* LISTEN 0 128 *:21 *:* LISTEN 0 100 *:25 *:* LISTEN 0 128 *:2233 *:* LISTEN 0 128 *:37982 *:* LISTEN 0 100 *:993 *:* LISTEN 0 100 *:995 *:* TIME-WAIT 0 0 192.168.11.62:25 45.142.120.183:20614 TIME-WAIT 0 0 192.168.11.62:25 45.142.120.183:33136 ・・・abbreviation・・・ |
● Show only UDP ports
Run the ss command with the option "-anu".
| [root@Lion ~]# ss -anu State Recv-Q Send-Q Local Address:Port Peer Address:Port UNCONN 0 0 *:48532 *:* UNCONN 0 0 *:40884 *:* UNCONN 0 0 *:111 *:* UNCONN 0 0 127.0.0.1:323 *:* ESTAB 0 0 192.168.11.62:45568 192.168.11.1:53 ESTAB 0 0 192.168.11.62:57961 192.168.11.1:53 UNCONN 0 0 127.0.0.1:723 *:* UNCONN 0 0 *:724 *:* ESTAB 0 0 192.168.11.62:35666 192.168.11.1:53 UNCONN 0 0 :::45110 :::* UNCONN 0 0 :::111 :::* UNCONN 0 0 ::1:323 :::* UNCONN 0 0 :::724 :::* UNCONN 0 0 :::43156 :::* |
●Display both TCP and UDP ports.
Run the ss command with the option "-atnu".
| [root@Lion ~]# ss -atnu Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 *:48532 *:* udp UNCONN 0 0 *:40884 *:* udp UNCONN 0 0 *:111 *:* udp UNCONN 0 0 127.0.0.1:323 *:* udp UNCONN 0 0 127.0.0.1:723 *:* udp UNCONN 0 0 *:724 *:* udp ESTAB 0 0 192.168.11.62:58651 192.168.11.1:53 udp UNCONN 0 0 :::45110 :::* udp UNCONN 0 0 :::111 :::* udp UNCONN 0 0 ::1:323 :::* udp UNCONN 0 0 :::724 :::* udp UNCONN 0 0 :::43156 :::* tcp LISTEN 0 128 127.0.0.1:10024 *:* tcp LISTEN 0 100 127.0.0.1:10025 *:* tcp LISTEN 0 100 *:587 *:* tcp LISTEN 0 64 *:38861 *:* tcp LISTEN 0 100 *:110 *:* tcp LISTEN 0 100 *:143 *:* tcp LISTEN 0 128 127.0.0.1:783 *:* tcp LISTEN 0 128 *:111 *:* tcp LISTEN 0 128 *:21 *:* tcp LISTEN 0 100 *:25 *:* tcp LISTEN 0 128 *:2233 *:* tcp LISTEN 0 128 *:37982 *:* tcp LISTEN 0 100 *:993 *:* tcp LISTEN 0 100 *:995 *:* tcp TIME-WAIT 0 0 192.168.11.62:25 45.142.120.183:62652 ・・・abbreviation・・・ |
●Display the ports where communication has been established.
Run the ss command with the option "-t".
| [root@Lion ~]# ss -t State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.11.62:smtp 45.142.120.183:57896 ESTAB 0 0 192.168.11.62:smtp 45.142.120.183:6772 CLOSE-WAIT 56 0 127.0.0.1:48094 127.0.0.1:10025 ESTAB 0 0 192.168.11.62:smtp 45.142.120.183:19356 ESTAB 0 288 192.168.11.62:infocrypt 192.168.11.51:64079 ESTAB 0 18 192.168.11.62:smtp 45.142.120.183:58682 CLOSE-WAIT 56 0 127.0.0.1:48652 127.0.0.1:10025 ESTAB 0 0 ::ffff:xxx.xxx.xxx.xxx:http ::ffff:xxx.xxx.xxx.xxx:48918 |
xxx.xxx.xxx.xxx is the IP address of the Linux server
●Each item of the ss command execution result
| Netid | Socket Type |
| u_str:UNIX Domain socket | |
| tcp :TCP socket | |
| udp :UDP socket | |
| State | Communication status |
| Recv-Q | Number of incoming queues |
| Send-Q | Number of outgoing queues |
| Local Address:Port | Display server-side IP or socket file and port |
| Peer Address:Port | Displays the IP or socket file and port of the communicating side. |
Checking the ports used by a process in Linux (lsof command)
To check the port used by a process in Linux, use the "lsof" command.
Checking the ports used by processes in Linux is very important to check the security status of Linux, to see if any unwanted programs are running, if any illegal backdoors are installed, etc.
The "lsof" command is a command that can display the process name and execution user name that Linux is using.
If you want to check only the port usage information, you can run it with the option "-i".
To check all the usage information such as ports, you need to run the lsof command as root user.
●Check which port the process is using.
Run the "lsof" command with the option "-i".
| [root@Lion ~]# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 3381 daemon 4u IPv6 29480 0t0 TCP *:http (LISTEN) chronyd 3758 chrony 1u IPv4 27912 0t0 UDP localhost:323 chronyd 3758 chrony 2u IPv6 27913 0t0 UDP localhost:323 proftpd 3811 nobody 0u IPv4 28910 0t0 TCP *:ftp (LISTEN) sshd 4097 root 3u IPv4 32041 0t0 TCP *:infocrypt (LISTEN) httpd 4266 root 4u IPv6 29480 0t0 TCP *:http (LISTEN) httpd 4356 daemon 4u IPv6 29480 0t0 TCP *:http (LISTEN) master 4805 root 13u IPv4 30593 0t0 TCP *:smtp (LISTEN) master 4805 root 14u IPv6 30594 0t0 TCP *:smtp (LISTEN) master 4805 root 18u IPv4 30603 0t0 TCP *:submission (LISTEN) master 4805 root 19u IPv6 30604 0t0 TCP *:submission (LISTEN) master 4805 root 96u IPv4 30682 0t0 TCP localhost:10025 (LISTEN) mysqld 4836 mysql 15u IPv6 29617 0t0 TCP *:mysql (LISTEN) httpd 24688 daemon 4u IPv6 29480 0t0 TCP *:http (LISTEN) sshd 27736 root 3u IPv4 23220846 0t0 TCP Tiger:infocrypt->192.168.11.51:64079 (ESTABLISHED) sshd 27776 tama 3u IPv4 23220846 0t0 TCP Tiger:infocrypt->192.168.11.51:64079 (ESTABLISHED) ・・・abbreviation・・・ |
●Each item in the "lsof" command execution result
| Item | Meaning |
| COMMAND | he command that is being executed. |
| PID | process IDD |
| USER | Execution User |
| FD | file descriptor |
| TYPE | type |
| DEVICE | device |
| SIZE/OFF | file syze |
| NODE | protocol |
| NAME | file or port |
●Show processes using a specific port number.
To see which processes are using a particular port number, run the lsof command with the option "-i" and
To check for processes using a specific port number, run the lsof command with the option "-i" and specify the specific port number separated by a ":" (colon).
The following shows port 80 for the web server
| [root@Lion ~]# lsof -i:80 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 3381 daemon 4u IPv6 29480 0t0 TCP *:http (LISTEN) httpd 4266 root 4u IPv6 29480 0t0 TCP *:http (LISTEN) httpd 4356 daemon 4u IPv6 29480 0t0 TCP *:http (LISTEN) httpd 24688 daemon 4u IPv6 29480 0t0 TCP *:http (LISTEN) httpd 62737 daemon 4u IPv6 29480 0t0 TCP *:http (LISTEN) |
Check the port numbers of the services in Linux with a file (/etc/services)
Services running on Linux will use a service-specific port number by default.
For example, TCP port number 80 for http, 443 for https, and so on. To figure out these port numbers, you have to check the service's own configuration file, but the commonly assumed port numbers are listed in the /etc/services file.
| [root@Lion ~]# vi /etc/services # /etc/services: # $Id: services,v 1.55 2013/04/14 ovasik Exp $ # # Network services, Internet style # IANA services version: last updated 2013-04-10 # # Note that it is presently the policy of IANA to assign a single well-known # port number for both TCP and UDP; hence, most entries here have two entries # even if the protocol doesn't support UDP operations. # Updated from RFC 1700, ``Assigned Numbers'' (October 1994). Not all ports # are included, only the more common ones. # # The latest IANA port assignments can be gotten from # http://www.iana.org/assignments/port-numbers # The Well Known Ports are those from 0 through 1023. # The Registered Ports are those from 1024 through 49151 # The Dynamic and/or Private Ports are those from 49152 through 65535 # # Each line describes one service, and is of the form: # # service-name port/protocol [aliases ...] [# comment]tcpmux 1/tcp # TCP port service multiplexer tcpmux 1/udp # TCP port service multiplexer rje 5/tcp # Remote Job Entry rje 5/udp # Remote Job Entry echo 7/tcp echo 7/udp discard 9/tcp sink null discard 9/udp sink null systat 11/tcp users systat 11/udp users daytime 13/tcp daytime 13/udp qotd 17/tcp quote qotd 17/udp quote msp 18/tcp # message send protocol (historic) msp 18/udp # message send protocol (historic) chargen 19/tcp ttytst source chargen 19/udp ttytst source ftp-data 20/tcp ftp-data 20/udp # 21 is registered to ftp, but also used by fsp ftp 21/tcp ftp 21/udp fsp fspd ssh 22/tcp # The Secure Shell (SSH) Protocol ssh 22/udp # The Secure Shell (SSH) Protocol telnet 23/tcp telnet 23/udp "/etc/services" 11176L, 670293C ・・・・abbreviation・・・・ |