All geek questions in one place

How to list related linux sockets if they are not listening

Is there a way in linux environment how bound sockets can be checked if they are not listening?

If the socket is created, connected, and listened to with what it is specified in netstat -l , it is displayed in /proc/net/<L4 type> , etc. It's fine.

But if the socket is created and bound to a specific TCP / UDP / SCTP and IP port, it does not appear in the specified places. Fd is displayed under /proc/<PID>/fd/ with the note socket:[inode] , but cannot be mapped to any other AFAIK tables / lists. The problem is that the connected socket prevents other processes in the same network namespace from communicating / listening on the same IP port. This results in Errno 98: Address already in use .

So, is it possible to list (or determine the owner process) related but not listening / connected sockets?

Edit:

Take this golang protocol example . You can run it with go run TCP_bind.go . If you run it twice, the second run will fail.

How do you know which port the process is connected to? Or vice versa, how would you find who reserved port 55555 when you cannot use it in your application?

+5
source share
1 answer

On Linux, you can use an audit system to record certain events, including system calls. We can use it to find out what bind (2) process calls are.

Assuming Ubuntu:

 sudo apt install auditd sudo auditctl -a exit,always -F arch=b64 -S bind -k BIND

I tested with the following Python code equivalent to your Go code:

 import socket s = socket.socket() s.bind(('127.0.0.1', 55555))

The audit trail can be found using ausearch -i -k BIND :

 ---- type=CONFIG_CHANGE msg=audit(04/18/2017 21:29:52.730:19) : auid=ovi ses=1 op="add_rule" key=BIND list=exit res=yes ---- type=CONFIG_CHANGE msg=audit(04/18/2017 21:29:58.062:20) : auid=ovi ses=1 op="add_rule" key=BIND list=exit res=yes ---- type=PROCTITLE msg=audit(04/18/2017 21:31:09.189:33) : proctitle=python type=SOCKADDR msg=audit(04/18/2017 21:31:09.189:33) : saddr=inet host:127.0.0.1 serv:55555 type=SYSCALL msg=audit(04/18/2017 21:31:09.189:33) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x3 a1=0x7fff11c66440 a2=0x10 a3=0x373 items=0 ppid=28677 pid=28693 auid=o9000 uid=o9000 gid=o9000 euid=o9000 suid=o9000 fsuid=o9000 egid=o9000 sgid=o9000 fsgid=o9000 tty=pts1 ses=4 comm=python exe=/usr/bin/python2.7 key=BIND

We can really see the binding caused for the host: 127.0.0.1 serv: 55555 from pid 28693.

Auditing must be enabled before running the problem program.

The actual log is stored in /var/log/audit/audit.log . You might want to set auditd to rotate it, so it does not grow indefinitely.

Explanation of the above commands (based on doc ):

  • auditctl -a : checking system calls ...
  • exit,always : always check this system call when it exits (since we want to know if bind(2) succeeded)
  • -F arch=b64 : check 64-bit programs (for 32-bit you need to create a separate rule!)
  • -S bind : audit the bind system call
  • -k BIND : add a bind label to the event in the log
  • ausearch : search audit log ...
  • -i : convert structures to human readable records (decodes IP address and port number)
  • -k BIND : show only events marked as "BIND".
0
source

Source: https://habr.com/ru/post/1266867/

More articles:


All Articles