Home > linux, Protocol Analysis > How to Determine which Process or Application uses a TCP Connection

How to Determine which Process or Application uses a TCP Connection

This recipe shows how to determine which process or application uses a TCP connection which you saw listed in your netstat output.  The exampe below is for Linux.  Windows is further down in the post:

In this example, I have a small ARM Linux device being remotely managed via the “Dataplicity” service. To use the service you install a script which runs on startup. It seems that the script sets up an SSH connection from the managed ARM device to the dataplicity server, so that when you login to their Admin portal and choose the “terminal” option, you access the Linux terminal which is already setup.

The netstat output shows a session outbound from the ARM machine (10.10.0.126) to the dataplicity server (96.126.99.204) on TCP/22 (SSH):

root@raspberrypi:/# netstat -an | grep ‘:443’
tcp 0 48 10.10.0.126:46098 96.126.99.204:443 ESTABLISHED

the next step is to find which process(es) use the (source) TCP port 46098:

root@raspberrypi:/# fuser 46098/tcp
46098/tcp: 2110 2167 2185

Three processes use that source port. The processes are:

root@raspberrypi:/# ls -l /proc/2110/exe
lrwxrwxrwx 1 root root 0 May 14 16:50 /proc/2110/exe -> /usr/bin/python2.7
root@raspberrypi:/# ls -l /proc/2167/exe
lrwxrwxrwx 1 root root 0 May 14 16:50 /proc/2167/exe -> /bin/bash
root@raspberrypi:/# ls -l /proc/2185/exe
lrwxrwxrwx 1 root root 0 May 14 16:50 /proc/2185/exe -> /bin/netstat

bash and netstat can be explaiined but python also uses it. This is the Dataplicity script:

root@raspberrypi:/# ps -ef | grep 2110
root 2110 1 3 16:43 ? 00:00:19 /usr/bin/python /usr/local/bin/d [output was truncated here by the remote console I was using]
root 2167 2110 0 16:44 pts/0 00:00:00 /bin/bash
root 2219 2167 0 16:53 pts/0 00:00:00 grep 2110

root@raspberrypi:/# ls /usr/local/bin/d*
/usr/local/bin/dataplicity
root@raspberrypi:/#

Example using MS Windows:

C:\Users\daren.matthews>netstat -a -n -o | find “10123”
Proto Local Address Foreign Address State PID
TCP 10.44.112.8:49384 10.44.101.113:10123 ESTABLISHED 3768

C:\Users\daren.matthews>tasklist | find “3768”
CcmExec.exe 3768 Services 0 39,020 K

  1. June 12th, 2015 at 18:13 | #1

    Hi!
    Just thought I’d drop a line to say hello and thanks for the article!

    I can confirm that the dataplicity terminal is a client-initiated HTTPS connection, and while it does “look” like SSH, it is in fact quite different and actually operates more like a ‘reverse tunnel’ over TCP port 443 (HTTPS port). It means that the dataplicity terminal will work through loads of different firewalls, NAT and VPNs, and simply requires a connection from the device to the internet on port 443.

    Hope that helps!

    Best,
    Elliot Mackenzie
    dataplicity Founder

  2. Daren Matthews
    July 30th, 2015 at 15:01 | #2

    Hi Elliot,
    Many thanks for that information – my curiosity is such that I’m going to grab a tcpdump to see this.
    Thanks again and also for visiting.
    – Daren

  1. No trackbacks yet.