When troubleshooting various aspects of services running in the system, there is need to check whether those services are listening on particular ports. This article focused on how to check for Listening Ports in Linux/Unix using tools like lsof, netstat and ss utility.
Check for Listening Ports using ss or netstat
ss
 – another utility to investigate sockets. It is used to dump socket statistics. It allows showing information similar to netstat. It can display more TCP and state information than other tools. ss is basically the new netstat.
To check for TCP and UDP listening ports, run the following command:
# ss -tunlp Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:* users:(("chronyd",pid=91078,fd=5)) udp UNCONN 0 0 [::1]:323 [::]:* users:(("chronyd",pid=91078,fd=6)) tcp LISTEN 0 4096 127.0.0.1:27017 0.0.0.0:* users:(("mongod",pid=120415,fd=14)) tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1015,fd=3)) tcp LISTEN 0 80 0.0.0.0:3306 0.0.0.0:* users:(("mariadbd",pid=1040,fd=34)) tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1015,fd=4)) tcp LISTEN 0 80 [::]:3306 [::]:* users:(("mariadbd",pid=1040,fd=36)) tcp LISTEN 0 4096 *:3000 *:* users:(("semaphore",pid=1110,fd=8))
Options used in the ss commad:
t
 – (–tcp) Display TCP sockets.u
 – (–udp) Display UDP socketsn
 – (–numeric) Do not try to resolve service names. Show exact bandwidth values, instead of human-readable.l
 – (–listening) Display only listening sockets (these are omitted by default).p
 – (–process) Show process using socket.
netstat is not installed by default on most distributions e.g CentOS, Rocky or RHEL.
# netstat -bash: netstat: command not found
In Linux distributions such as Rocky and CentOS, netstat is provided by a package called “net-tools”. net-tools has a tool collection for controlling the network subsystem of a Linux environment.
This is how you can install net-tools in an RPM based Linux:
# dnf install net-tools Rocky Linux 9 - BaseOS 4.2 kB/s | 4.1 kB 00:00 Rocky Linux 9 - AppStream 1.9 kB/s | 4.5 kB 00:02 Rocky Linux 9 - AppStream 217 kB/s | 7.1 MB 00:33 Dependencies resolved. ====================================================================================================================================================================================================================== Package Architecture Version Repository Size ====================================================================================================================================================================================================================== Installing: net-tools x86_64 2.0-0.62.20160912git.el9 baseos 292 k Installed: net-tools-2.0-0.62.20160912git.el9.x86_64 Complete!
To list the listening ports using netstat, the command is similar to the ss command above:
# netstat -tulpn | grep LISTEN tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 120415/mongod tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1015/sshd: /usr/sbi tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1040/mariadbd tcp6 0 0 :::22 :::* LISTEN 1015/sshd: /usr/sbi tcp6 0 0 :::3306 :::* LISTEN 1040/mariadbd tcp6 0 0 :::3000 :::* LISTEN 1110/semaphore [root@rocky9 ~]# netstat -tnlp | grep :27017 tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 120415/mongod
Options used in the netstat commad:
t
 – (–tcp) Display TCP sockets.u
 – (–udp) Display UDP socketsn
 – (–numeric) Do not try to resolve service names. Show exact bandwidth values, instead of human-readable.l
 – (–listening) Display only listening sockets (these are omitted by default).p
 – (–process) Show process using socket.
Check for Listening Ports using lsof
lsof
is a powerful command that lists open files by processes. In a Linux system, everything is a file e.g a socket(pseudo-file that represents a network connection) is a file that writes to the network.
# lsof -nP -iTCP -sTCP:LISTEN COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 1015 root 3u IPv4 24324 0t0 TCP *:22 (LISTEN) sshd 1015 root 4u IPv6 24326 0t0 TCP *:22 (LISTEN) mariadbd 1040 mysql 34u IPv4 24764 0t0 TCP *:3306 (LISTEN) mariadbd 1040 mysql 36u IPv6 24765 0t0 TCP *:3306 (LISTEN) semaphore 1110 root 8u IPv6 18172 0t0 TCP *:3000 (LISTEN) mongod 120415 mongod 14u IPv4 2146115 0t0 TCP 127.0.0.1:27017 (LISTEN)
Options used in lsof the commad:
n
 – inhibits the conversion of network numbers to host names for network files. Thismay make lsof run faster.
P
 – inhibits the conversion of port numbers to port names for network files. Thismay make lsof run a little faster.
-iTCP -sTCP:LISTEN
– Show only network files that have TCP state LISTEN.
Perhaps we want to determine the process that is listening on a particular port, we can use use the following command:
lsof -nP -iTCP:22 -sTCP:LISTEN COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 1015 root 3u IPv4 24324 0t0 TCP *:22 (LISTEN) sshd 1015 root 4u IPv6 24326 0t0 TCP *:22 (LISTEN) lsof -nP -iTCP:27017 -sTCP:LISTEN COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME mongod 120415 mongod 14u IPv4 2146115 0t0 TCP 127.0.0.1:27017 (LISTEN)
From the ouptut above, sshd runs on port 22; mongod runs on port 27017.
Conclusion
We hope that this article was beneficial to you. You can also explore Network Mapper(nmap) as an alternative. It is a command line tool that is used to scan IP addresses and ports in a network and also to detect installed applications.