Methods to Find Process Listening on Port in FreeBSD: netstat, sockstat, ps, grep, tcpdump, lsof
October 29, 2023
How to Find Process Listening on Port in FreeBSD
There are several ways to find out which process is listening on a port in FreeBSD. One way is to use the netstat command. This utility displays network connections, routing tables, interface statistics, masquerade connections and multicast memberships.
Another tool is sockstat. This tool is useful because it lists open sockets based on the protocol version, state, and the command that opens the socket. It also shows the PID and file descriptor of the program that holds the socket.
ps
The ps command displays information about the processes running on your system. It provides a variety of information, including the process PID, the user name, the command line, and the memory and swap usage. It also shows the ‘wired count’, which shows how many bytes are wired down and cannot be swapped out. It also shows the ‘waitchan’, which explains what the process is waiting for.
ps can also be used to find open ports on your system. This can help you identify services that are not being properly closed and may be vulnerable to attack. The first line of ps output lists basic system information, such as the number of currently active processes and their total load averages. It also lists the memory and swap size in kilobytes. It can also show if the system is rebooting and how long it will take to finish. In addition, it can display the kern.reboot_wait_time sysctl setting, which specifies the amount of time that the kernel will wait before rebooting.
grep
grep is a command-line utility that searches plain-text data sets for lines matching a regular expression. It was originally developed for the Unix operating system, but is now available on all Unix-like systems and OS-9. grep has a large set of options that affect how it works, including some that are specific to the UNIX operating system and others that are GNU extensions.
Several environment variables influence grep’s behavior, such as the LC_CTYPE category, which determines what characters are considered whitespace and what character encoding to use. These variables can also control whether grep uses line buffering or not.
grep can also stop after outputting a specified number of non-matching lines. The -c option specifies how many non-matching lines to output, and the -v option specifies which fields to print on each outputting line (file name, line number and byte offset). If a context line is matched, grep only prints the empty part of the line.
tcpdump
The tcpdump program is one of the most useful tools in the security industry, as it can capture traffic from network interfaces and display it in an easy-to-read format. This can be used to detect insecure protocols and identify leaked credentials, such as passwords or usernames. The tcpdump program has many options, or flags, that can be used to alter the behavior of the program.
Some tcpdump flags let you select packets by filter expressions, which are useful in examining specific types of traffic. You can also configure the snaplength and rotate intervals, and control the output format. For example, you can specify -w if you want tcpdump to write the captured packets in a file instead of printing them on the screen.
tcpdump can create an overwhelming amount of data, and it may take some time to learn how to interpret its results. This is why it’s important to limit the number of packets you capture, if possible.
lsof
The lsof command lists information about open files on the system. An open file can be a regular file, directory, Unix socket, network file or device. It can also be a character special file, an executing text reference or a kernel shared library.
The command works by listing the information of all processes with a specific file open. You can see the process ID, name and other information of the process by using -p and -name options. The command is extremely powerful and you can find many other useful options by looking at the man page of the command.
The -r option puts the command in repeat mode, re-running it every few seconds (a loop). It can be used to monitor an activity that will only last for a short time. The +r option will automatically terminate the command when it runs out of new output to print. This option avoids kernel functions that might block – see the BLOCKS AND TIMEOUTS and AVOIDING KERNEL BLOCKS sections of the man page for details.