Determining the process listening on a particular port on a Linux system with ss

Learning that lasts. Online courses from $14.99

To determine what process is listening on a particular TCP port on a Linux system, you can use the ss command. On a CentOS Linux system, the command can be found in the /sbin/ss directory. The utility is part of the iproute, or iproute2 package.

# which ss
/sbin/ss
# rpm -qf /sbin/ss
iproute-3.10.0-21.el7.x86_64
#

To see help information on the utility, you can use the command ss --help.

# ss --help
Usage: ss [ OPTIONS ]
       ss [ OPTIONS ] [ FILTER ]
   -h, --help           this message
   -V, --version        output version information
   -n, --numeric        don't resolve service names
   -r, --resolve       resolve host names
   -a, --all            display all sockets
   -l, --listening      display listening sockets
   -o, --options       show timer information
   -e, --extended      show detailed socket information
   -m, --memory        show socket memory usage
   -p, --processes      show process using socket
   -i, --info           show internal TCP information
   -s, --summary        show socket usage summary
   -b, --bpf           show bpf filter socket information

   -4, --ipv4          display only IP version 4 sockets
   -6, --ipv6          display only IP version 6 sockets
   -0, --packet display PACKET sockets
   -t, --tcp            display only TCP sockets
   -u, --udp            display only UDP sockets
   -d, --dccp           display only DCCP sockets
   -w, --raw            display only RAW sockets
   -x, --unix           display only Unix domain sockets
   -f, --family=FAMILY display sockets of type FAMILY

   -A, --query=QUERY, --socket=QUERY
       QUERY := {all|inet|tcp|udp|raw|unix|packet|netlink}[,QUERY]

   -D, --diag=FILE     Dump raw information about TCP sockets to FILE
   -F, --filter=FILE   read filter information from FILE
       FILTER := [ state TCP-STATE ] [ EXPRESSION ]
#

Or you can consult the manual page for ss using the command man ss.

If you wish to determine which process is listening on a particular port, you can use the command with the -l or --listening options. E.g., to see a list of all the ports on which the system is listening for connections and to also see the applications listening on those ports, one could use ss -lp or ss --listening --processes. To only see the results for a particular port or ports you are interested in, you can pipe the results of the ss command into the grep command using the "pipe character", i.e., | (shift \). E.g., if I wanted to see which programs were listening for connections to send and receive email on a system, I could use the commands below.

# ss --listening --processes | grep pop3s
tcp    LISTEN     0      100                  *:pop3s                 *:*        users:(("dovecot",14871,29))
tcp    LISTEN     0      100                 :::pop3s                :::*        users:(("dovecot",14871,30))
[root@moonpoint nina]# ss --listening --processes | grep smtp
tcp    LISTEN     0      10                   *:smtp                  *:*        users:(("sendmail",6268,4))
#

The pop3s service is listed twice in the above output because the service is listening both for IPv4 and IPv6 connections. Sendmail is listening on all network interfaces, which is indicated by *:* for IPv4 connections and Dovecot is listening on all interfaces for IPv4, which is indicated by the *.* line for it, but also for IPv6 connections on all network interfaces as indicated by the two double colons preceding the :* line for pop3s.

In the example above, I can see that Dovecot is listening for secure POP3 connections, i.e., pop3s (port 995), which can be used by users to download their email to their local system in encrypted form, and Sendmail is listening for connections on the SMTP port (port 25) that email servers use to communicate with one another and which users can use to send mail in unencrypted form without authenticating with the mail server, if that is allowed by the server.

If I wanted to check on just those two ports, I could also use one grep command with the -e option that provides a means to perform a "logical or" operation, i.e., a search on multiple patterns where results will be displayed if any of the patterns are found.

# ss -lp | grep -e smtp -e pop3s
tcp    LISTEN     0      100                  *:pop3s                 *:*        users:(("dovecot",14871,29))
tcp    LISTEN     0      10                   *:smtp                  *:*        users:(("sendmail",6268,4))
tcp    LISTEN     0      100                 :::pop3s                :::*        users:(("dovecot",14871,30))
#

If you wish to search by numerical port number rather than on the service name associated with that port, such as port 995 for POP3S and port 25 for SMTP, you can use the -n or --numeric option so ss won't resolve the service names. You need to proceed the port number with a colon so as not to have any lines included that might have the port number you are intersted in at the end of the number, but not be the exact number, e.g., 4995 instead of 995. Also add a space after the number to exclude lines that might have the number at the beginning of the port number.

$ ss -lpn | grep -e ":25 " -e ":995 "
tcp    LISTEN     0      100                    *:995                   *:*
tcp    LISTEN     0      10                     *:25                    *:*
tcp    LISTEN     0      100                   :::995                  :::*
$
#

Related:

  1. Using netstat to determine the process that is using a network port under Linux
    Date: December 31, 2016