Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!decwrl!purdue!mentor.cc.purdue.edu!mace.cc.purdue.edu!abe
From: abe@mace.cc.purdue.edu (Vic Abell)
Newsgroups: comp.unix.wizards
Subject: Re: What processes are on the ends of a TCP connection?
Summary: netstat -aA to PID in four+ easy steps
Message-ID: <1914@mace.cc.purdue.edu>
Date: 3 Mar 89 21:54:32 GMT
References: <190@heart-of-goldmitre.org>
Organization: Purdue University
Lines: 68

In article <190@heart-of-goldmitre.org>, jc@heart-of-goldmitre.org (John M Chambers) writes:
> OK all you BSD networking wizards, here's a simple one (;-):
> 
> When I run "netstat -a", I can see a lot of TCP connections, as well as
> a bunch of ports (both TCP and UDP) being listened on.  How do I identify
> the processes that are involved?

Here are the 4+ easy steps for 4.3BSD, ULTRIX 2.2 and DYNIX 3.1[24] hosts.

1.  Use -aA on the netstat command and record the TCP Protocol Control
    Block address that is displayed for the entry whose PID you want:

	netstat -aA

2.  Run adb on the kernel:

		adb -k /vmunix /dev/mem

	a) Display the TCPCB at the address that netstat displayed:

		<netstat address>$<tcpcb

	b) Display the Internet Protocol Control Block (INPCB) at the address
	   displayed under "inpcb":

		<inpcb address>$<inpcb

	c) Display the socket at the address displayed under "socket":

		<socket address>$<socket

	   Verify that this is the correct socket by comparing the address
	   displayed under "pcb" with the INPCB address used in step b.
	   This step isn't really necessary -- it's only a sanity check.

3.  Now that you know the socket address, use pstat to find the file
    structure address.

	pstat -f | grep <socket address>

4.  For each process, look up its associated user structure and match
    its file structure addresses to the file structure address you got
    from pstat and grep.

		*proc$<proc
		<next process address>$<proc
	and
		<u address>$<u

    I'm not sure that you can do this step wholly with adb, because user
    structures can be swapped out.  Besides, it's excruciatingly tedious.

    However, the ofiles program already scans process table entries and
    associated user structures when looking for files, and it can handle
    swapped-out user structures.  So, all of these steps can be automated
    by changing ofiles to perform steps 1, 2 and 3 before it starts
    scanning the process table and their associated user structures.  It
    will then do step 4, too.

    I have such a mod - it only took a few hours to do.

As always, you should be aware that all of this reading of kernel data
structures is scarcely atomic.  Consequently, if the structures change
while you are following their links, you will not get the results you
expect.

Good luck!  I hope this relieves you of the need to ask embarrassing
questions about netstat.  :-)