Find open ports from Linux kernel

Have you ever tried to find out the open ports in a Linux box without using the common tools like netstat, nmap, lsof, ss … ? In some cases,  the tools are just not available. e.g In a cutdown version Linux server or container, and you don’t have the permission to install any software.

I actually ran into this problem recently, and I have worked it out. Just like the subject says – get it from kernel directly. I will explain it in a example.  Please see my inline comments.

# Find out the sockets in /proc/net/tcp (/proc/net/udp is for udp)
# st stands for status, 0A means listening, 01 means established
# The local_address and rem_address are in Hex format
# It is in ip_address:port format, just beware that ip_address is
# in reversed order. Just use bash command to convert them, 
# I will show you later.

$ cat /proc/net/tcp
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode                                                     
   0: 00000000:1F90 00000000:0000 0A 00000000:00000000 00:00000000 00000000 1010980000        0 287005026 1 ffff8802e73b3640 100 0 0 10 0            
   1: CE0B010A:AD90 20B24236:01BB 01 00000000:00000000 00:00000000 00000000 1010980000        0 287004357 1 ffff8803b6f064c0 20 4 30 10 -1           

# Find out the process ID that uses the socket. The socket inode 
# is listed in above outputs.

$ ls -l /proc/*/fd/* | grep 287005026
ls: cannot access '/proc/158/fd/10': No such file or directory
ls: cannot access '/proc/158/fd/3': No such file or directory
ls: cannot access '/proc/158/fd/4': No such file or directory
ls: cannot access '/proc/159/fd/10': No such file or directory
ls: cannot access '/proc/self/fd/10': No such file or directory
ls: cannot access '/proc/self/fd/3': No such file or directory
ls: cannot access '/proc/self/fd/4': No such file or directory
lrwx------. 1 1010980000 root 64 Oct 25 10:21 /proc/7/fd/10 -> socket:[287005026]

$ ls -l /proc/*/fd/* | grep 287004357
ls: cannot access '/proc/160/fd/10': No such file or directory
ls: cannot access '/proc/160/fd/3': No such file or directory
ls: cannot access '/proc/160/fd/4': No such file or directory
ls: cannot access '/proc/161/fd/10': No such file or directory
ls: cannot access '/proc/self/fd/10': No such file or directory
ls: cannot access '/proc/self/fd/3': No such file or directory
ls: cannot access '/proc/self/fd/4': No such file or directory
lrwx------. 1 1010980000 root 64 Oct 25 10:21 /proc/7/fd/11 -> socket:[287004357]

# Check the CMD column to see what application the process is for. 
# In this case, it is a node application.
$ ps -f 7
UID         PID   PPID  C STIME TTY      STAT   TIME CMD
1010980+      7      1  0 05:28 ?        Sl     0:08 node /usr/local/bin/coffee /dilbert/node_modules/.bin/hubot --adapter slack

# Convert Hex to Decimal to find out the port,
# The port 8080 is listening on address 0.0.0.0

$ echo $((0x1F90))
8080

# Convert Hex to Decimal to find out the local ip address
# The ip is 10.1.11.206

$ echo $((0x0A))
10
$ echo $((0x01))    
1
$ echo $((0x0B))
11
$ echo $((0xCE))
206

Reference: http://www.onlamp.com/pub/a/linux/2000/11/16/LinuxAdmin.html