Linux API to determine sockets owned by a process

Question

Is there a Linux library that will enable me to tell what IP sockets are owned by what processes? I guess I\'m looking for the programmatic equivalent of lsof -i

Answer 1

I think you first have to look through the open fds in /proc/*/fd, e.g.

4 -> socket:[11147]

and then look for the referenced sockets (by the inode) in /proc/net/tcp (or /proc/net/udp), e.g.

12: B382595D:8B40 D5C43B45:0050 01 00000000:00000000 00:00000000 00000000  1000        0 11065 1 ffff88008bd35480 69 4 12 4 -1

Answer 2

You can read them from proc filesystem. The 'files' you probably want to look at are found in /proc/<pid>/net (namely tcp, udp, unix)

Here's some examples on using the proc filesystem

Answer 3

/proc/<pid>/net is equivalent to /proc/net for all processes in the same network namespace as you – in other words, it's "global" information.

You can do what lsof and fuser do, which is to iterate through both /proc/<pid>/fd/* and /proc/net/* looking for matching inodes. Quick demonstration:

#!/bin/sh
pgrep "$@" | while read pid; do
    for fd in /proc/$pid/fd/*; do
        name=$(readlink $fd)
        case $name in
            socket:\[*\])
                ino=${name#*:}
                for proto in tcp:10 tcp6:10 udp:10 udp6:10 unix:7; do
                    [[ ! -e /proc/net/${proto%:*} ]] ||
                    awk "
                        \$${proto##*:} == ${ino:1:${#ino}-2} {
                            print \"${proto%:*}:\", \$0
                            exit 1
                        }
                    " /proc/net/${proto%:*} || break
                done
                ;;
        esac
    done
done

You can extend this to other protocols (I see ax25, ipx, packet, raw, raw6, udplite, udp6lite in /proc/net/ too) or rewrite in a language of your choosing.

Answer 4

You could try running lsof with strace and see just which files in /proc it gets data from.

Answer 5

I'd go to the source:

http://ubuntuforums.org/showthread.php?t=1346778

Answer 6

To determine sockets owned by a process you can just use netstat. Here's an example w/output (shortened) of netstat with options that will do what you want.

$ sudo netstat -apeen
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 127.0.0.1:8118          0.0.0.0:*               LISTEN      138        744850      13248/privoxy   
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      117        9612        2019/postgres   
udp        0      0 127.0.0.1:51960         127.0.0.1:51960         ESTABLISHED 117        7957        2019/postgres   
udp        0      0 0.0.0.0:68              0.0.0.0:*                           0          7740        1989/dhclient   
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING     7937     2019/postgres       /var/run/postgresql/.s.PGSQL.5432
unix  2      [ ACC ]     STREAM     LISTENING     958058   8080/emacs          /tmp/emacs1000/server
unix  2      [ ACC ]     STREAM     LISTENING     6969     1625/Xorg           /tmp/.X11-unix/X0
unix  2      [ ]         DGRAM                    9325     1989/dhclient       
unix  3      [ ]         STREAM     CONNECTED     7720     1625/Xorg           @/tmp/.X11-unix/X0

Make sure you run netstat as root otherwise you'll get this message:

(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)

An explanation of the -apeen options from the netstat manpage:

-a, --all
    Show both listening and non-listening sockets. With the
    --interfaces option, show interfaces that are not up

-p, --program
    Show the PID and name of the program to which each socket
    belongs.

-e, --extend
    Display additional information. Use this option twice for
    maximum detail.

--numeric , -n
    Show numerical addresses instead of trying to determine symbolic host, port or user names.

--numeric-hosts
    shows numerical host addresses but does not affect the resolution of port or user names.

--numeric-ports
    shows numerical port numbers but does not affect the resolution of host or user names.

--numeric-users
    shows numerical user IDs but does not affect the resolution of host or port names.