Basically, I can see the two sockets, and everything about them, but cannot tell that they are connected. I am trying to determine which FD in the parent is communicating with which child process. On Linux, since kernel version 3. Will list all the Unix domain sockets that have a process whose name starts with Xorg at either end in a format similar to:.
The ss utility from iproute2 makes use of that same API to retrieve and display information on the list of unix domain sockets on the system including peer information. The sockets are identified by their inode number. Note that it's not related to the filesystem inode of the socket file. The -p option can tell you which process es have that socket open. For instance here:. To find out what process es has , you can look up its own entry in the output of ss -xp :.
You could also use this script as a wrapper around lsof to easily show the relevant information there:. It lists all the Unix domain sockets including socketpairs. The first field in there if not hidden to non-superusers with the kernel. Now we can use a heuristic approach at determining the offset: have our tool create a dummy socketpair then we know the address of both peers , and search for the address of the peer around the memory at the other end to determine the offset.
Here is a proof-of-concept script that does just that using perl successfully tested with kernel 2. Like above, it works as a wrapper around lsof :.
Since kernel 3. In older versions, according to the author of lsof , it was impossible to find this out: the Linux kernel does not expose this information. Source: thread on comp. When you create a pipe or socket pair, each end successively receives an inode number.
I checked the definition of socketpair in kernel 2. You can now get this information with ss :. Matching IDs are the two ends of a socket. There is 2 different sockets, 1 listening and 1 established. Also, you need a version of your kernel image with debugging symbols. On Debian 7, apt-get install linux-image If you don't have or don't want to keep the debugging kernel image on the system, you can give gdb the memory offset to "manually" access the peer value.
This offset value usually differ with kernel version or architecture. If you have the same kernel running on several machine, it is easier to use this variant because you don't need the debug image, only the offset value. Most of the credit for this answer goes to MvG.
In the example used, no doubt PID was the originator of the socket's creation as this PID is identified in the socket name. Neither lsof nor netstat identified PID as the original creator, though clearly PID is the current maintainer. How are we doing? Please help us improve Stack Overflow. Take our short survey. Stack Overflow for Teams — Collaborate and share knowledge with a private group.
Create a free Team What is Teams? Collectives on Stack Overflow. Learn more. Find original owning process of a Linux socket Ask Question. Asked 11 years, 8 months ago. Active 3 years, 8 months ago. Viewed 37k times. Improve this question. Community Bot 1 1 1 silver badge. Rob H Rob H Please elaborate in how you would go about arranging sharing of a socket with no parent-child relationship. The question I linked to explains it. I have also seen it happen on my Linux box.
And the question is posted in "Shell Programming and Scripting". Something is a little off here Find all posts by DukeNuke2. Originally Posted by DukeNuke2. Join Date: Feb Hi, My take on this would be that all the socket information is correct.
A process can have multiple network connections open simultaneously. It can also contain multiple threads within itself, which can themselves have multiple connections open, and so on. So in this case, the process with PID has all four of those connections open. Originally Posted by drysdalk. Code :. Last edited by mohtashims; at AM.. Hi, Ah, you want to check the listening sockets in that case.
That's not what you're doing here. You're looking at all established sockets - in other words, connections between your system and another system. That will show you just the sockets that are open and listening for incoming connections on your local system. Hope this helps! Need script for killing Pid in Linux. A possibly misleading aspect of the latter output is visible in the connections to and from localhost and the final line.
Also interestingly, this line conveys to us in the first output that the kernel is waiting for the remote endpoint to acknowledge the bytes which are still in the Send-Q buffer. The connection was initiated from an ephemeral port on tristan to a service running on port The service normally running on this well-known port is sshd, so we can conclude that somebody on tristan has connected to the morgan 's ssh server. The third through the sixth lines can be understood in pairs.
By examining the source and destination IP and port pairs, we can see that two different TCP sessions have been established with the source and destination address of For an administrator to publish services on localhost is not at all uncommon. This makes the service harder to abuse from the network. In this case, when we allow the service lookup, the port in question appears to be used to tunnel forwarded X applications over ssh.
Refer to Table G. If we needed to know exactly which application owned a particular network connection, we would use the -p --program switch which gives us the PID and process name of the owner process. If we want to see the unix user and the PID and process we'll add the -e --extend switch. Displaying IP socket status details with netstat. There doesn't appear to be a large number of connections to and from the masq-gw host. The two sessions are initiated to the sshd running on port 22, and the process which owns each socket is a root process.
Table G. Possible Session States in netstat output. One of the most common uses of netstat , especially in cross-platform environments is the reporting of the main routing table.
0コメント