Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to tie a network connection to a PID without using lsof or netstat?

Is there a way to tie a network connection to a PID (process ID) without forking to lsof or netstat?

Currently lsof is being used to poll what connections belong which process ID. However lsof or netstat can be quite expensive on a busy host and would like to avoid having to fork to these tools.

Is there someplace similar to /proc/$pid where one can look to find this information? I know what the network connections are by examining /proc/net but can't figure out how to tie this back to a pid. Over in /proc/$pid, there doesn't seem to be any network information.

The target hosts are Linux 2.4 and Solaris 8 to 10. If possible, a solution in Perl, but am willing to do C/C++.

additional notes:

I would like to emphasize the goal here is to tie a network connection to a PID. Getting one or the other is trivial, but putting the two together in a low cost manner appears to be difficult. Thanks for the answers to so far!

like image 829
jac_no_k Avatar asked May 08 '09 05:05

jac_no_k


3 Answers

I don't know how often you need to poll, or what you mean with "expensive", but with the right options both netstat and lsof run a lot faster than in the default configuration.
Examples:

netstat -ltn

shows only listening tcp sockets, and omits the (slow) name resolution that is on by default.

lsof -b -n -i4tcp:80

omits all blocking operations, name resolution, and limits the selection to IPv4 tcp sockets on port 80.

like image 105
8jean Avatar answered Sep 29 '22 15:09

8jean


On Solaris you can use pfiles(1) to do this:

# ps -fp 308 
     UID   PID  PPID   C    STIME TTY         TIME CMD
    root   308   255   0 22:44:07 ?           0:00 /usr/lib/ssh/sshd
# pfiles 308 | egrep 'S_IFSOCK|sockname: '
   6: S_IFSOCK mode:0666 dev:326,0 ino:3255 uid:0 gid:0 size:0
        sockname: AF_INET 192.168.1.30  port: 22

For Linux, this is more complex (gruesome):

# pgrep sshd
3155
# ls -l /proc/3155/fd | fgrep socket
lrwx------ 1 root root 64 May 22 23:04 3 -> socket:[7529]
# fgrep 7529 /proc/3155/net/tcp 
   6: 00000000:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 7529 1 f5baa8a0 300 0 0 2 -1            

00000000:0016 is 0.0.0.0:22. Here's the equivalent output from netstat -a:

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
like image 26
Martin Carpenter Avatar answered Sep 29 '22 16:09

Martin Carpenter


Why don't you look at the source code of netstat and see how it get's the information? It's open source.

like image 37
lothar Avatar answered Sep 29 '22 16:09

lothar