What processes are on the ends of a TCP connection?
Vic Abell
abe at mace.cc.purdue.edu
Sat Mar 4 07:54:32 AEST 1989
In article <190 at heart-of-goldmitre.org>, jc at heart-of-goldmitre.org (John M Chambers) writes:
> OK all you BSD networking wizards, here's a simple one (;-):
>
> When I run "netstat -a", I can see a lot of TCP connections, as well as
> a bunch of ports (both TCP and UDP) being listened on. How do I identify
> the processes that are involved?
Here are the 4+ easy steps for 4.3BSD, ULTRIX 2.2 and DYNIX 3.1[24] hosts.
1. Use -aA on the netstat command and record the TCP Protocol Control
Block address that is displayed for the entry whose PID you want:
netstat -aA
2. Run adb on the kernel:
adb -k /vmunix /dev/mem
a) Display the TCPCB at the address that netstat displayed:
<netstat address>$<tcpcb
b) Display the Internet Protocol Control Block (INPCB) at the address
displayed under "inpcb":
<inpcb address>$<inpcb
c) Display the socket at the address displayed under "socket":
<socket address>$<socket
Verify that this is the correct socket by comparing the address
displayed under "pcb" with the INPCB address used in step b.
This step isn't really necessary -- it's only a sanity check.
3. Now that you know the socket address, use pstat to find the file
structure address.
pstat -f | grep <socket address>
4. For each process, look up its associated user structure and match
its file structure addresses to the file structure address you got
from pstat and grep.
*proc$<proc
<next process address>$<proc
and
<u address>$<u
I'm not sure that you can do this step wholly with adb, because user
structures can be swapped out. Besides, it's excruciatingly tedious.
However, the ofiles program already scans process table entries and
associated user structures when looking for files, and it can handle
swapped-out user structures. So, all of these steps can be automated
by changing ofiles to perform steps 1, 2 and 3 before it starts
scanning the process table and their associated user structures. It
will then do step 4, too.
I have such a mod - it only took a few hours to do.
As always, you should be aware that all of this reading of kernel data
structures is scarcely atomic. Consequently, if the structures change
while you are following their links, you will not get the results you
expect.
Good luck! I hope this relieves you of the need to ask embarrassing
questions about netstat. :-)
More information about the Comp.unix.wizards
mailing list