Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!mtxinu!ed
From: ed@mtxinu.COM (Ed Gould)
Newsgroups: comp.unix.wizards
Subject: Re: What processes are on the ends of a TCP connection?
Message-ID: <763@mtxinu.UUCP>
Date: 3 Mar 89 19:54:21 GMT
References: <190@heart-of-goldmitre.org>
Reply-To: ed@mtxinu.COM (Ed Gould)
Organization: mt Xinu, Berkeley
Lines: 27

>When I run "netstat -a", I can see a lot of TCP connections, as well as
>a bunch of ports (both TCP and UDP) being listened on.  How do I identify
>the processes that are involved?

In general, there is not a way to track backwards from the port to the
process.  The network code can be thought of as having a top half and a
bottom half.  When a packet arrives from the net, the bottom half
processes the packet and - driven by a port number - hangs it on the
queue of the associated socket.  When a program wants to read data from
a socket, the top half - driven by a file descriptor - looks up the
proper socket and dequeues the data.

One intuitive way to understand that it's not possible to track upwards
to a PID is to remember that many processes may have descriptors that
refer to the same socket.  This will happen when a process with an open
socket forks.

It's plsusible to write a program that would look at processes (if
they happened to be swapped in) and track down to a socket, but I don't
know of any such tool.  Even if there were such a beast, I don't think
it will always be able to answer your question.

-- 
Ed Gould                    mt Xinu, 2560 Ninth St., Berkeley, CA  94710  USA
ed@mtxinu.COM		    +1 415 644 0146

"I'll fight them as a woman, not a lady.  I'll fight them as an engineer."