What processes are on the ends of a TCP connection?

[Ed Gould]

>When I run "netstat -a", I can see a lot of TCP connections, as well as
>a bunch of ports (both TCP and UDP) being listened on.  How do I identify
>the processes that are involved?

In general, there is not a way to track backwards from the port to the
process.  The network code can be thought of as having a top half and a
bottom half.  When a packet arrives from the net, the bottom half
processes the packet and - driven by a port number - hangs it on the
queue of the associated socket.  When a program wants to read data from
a socket, the top half - driven by a file descriptor - looks up the
proper socket and dequeues the data.

One intuitive way to understand that it's not possible to track upwards
to a PID is to remember that many processes may have descriptors that
refer to the same socket.  This will happen when a process with an open
socket forks.

It's plsusible to write a program that would look at processes (if
they happened to be swapped in) and track down to a socket, but I don't
know of any such tool.  Even if there were such a beast, I don't think
it will always be able to answer your question.

-- 
Ed Gould                    mt Xinu, 2560 Ninth St., Berkeley, CA  94710  USA
ed at mtxinu.COM		    +1 415 644 0146

"I'll fight them as a woman, not a lady.  I'll fight them as an engineer."