I have been monitoring my system lately and I have found some strange things are running on my system. Can anyone please explain what they are and why same program use several processes? Output of netstat and ps -aux:
netstat -antplF
(Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name<br>
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN - <br>
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - <br>
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN - <br>
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN - <br>
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN - <br>
tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN - <br>
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN - <br>
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN - <br>
tcp 0 0 192.168.0.100:44952 144.76.244.204:443 ESTABLISHED 2705/chromium-brows<br>
tcp 0 0 192.168.0.100:49334 66.196.66.212:443 ESTABLISHED 6796/firefox <br>
tcp 0 0 192.168.0.100:40249 69.171.235.19:443 ESTABLISHED 6796/firefox <br>
tcp 0 0 192.168.0.100:51498 173.194.39.246:443 ESTABLISHED 6796/firefox <br>
tcp 0 0 192.168.0.100:39152 198.252.206.24:80 ESTABLISHED 2705/chromium-brows<br>
tcp 0 0 192.168.0.100:49050 2.20.142.212:80 ESTABLISHED 2705/chromium-brows<br>
tcp 0 0 192.168.0.100:56883 74.125.136.84:443 ESTABLISHED 2705/chromium-brows<br>
tcp 0 0 192.168.0.100:39153 198.252.206.24:80 ESTABLISHED 2705/chromium-brows<br>
tcp 0 0 192.168.0.100:50371 142.0.72.109:3389 ESTABLISHED 5777/xfreerdp <br>
tcp 0 0 192.168.0.100:56903 66.196.120.54:5050 ESTABLISHED 5809/pidgin <br>
tcp 0 0 192.168.0.100:51073 66.196.120.77:5050 ESTABLISHED 5809/pidgin <br>
tcp 0 0 192.168.0.100:54875 193.149.89.57:443 ESTABLISHED 6796/firefox <br>
tcp 0 0 192.168.0.100:40648 152.163.0.143:80 ESTABLISHED 6796/firefox <br>
tcp 0 0 192.168.0.100:53681 173.194.116.106:443 ESTABLISHED 2705/chromium-brows<br>
tcp 1 0 192.168.0.100:51012 91.189.89.144:80 CLOSE_WAIT 3829/ubuntu-geoip-p<br>
tcp 1 0 192.168.0.100:44527 91.189.89.31:80 CLOSE_WAIT 3871/gvfsd-http <br>
tcp 0 0 192.168.0.100:47284 74.125.136.94:443 ESTABLISHED 2705/chromium-brows<br>
tcp 0 0 192.168.0.100:36697 173.194.66.95:80 ESTABLISHED 2705/chromium-brows<br>
tcp 0 0 192.168.0.100:37008 173.194.44.52:443 ESTABLISHED 2705/chromium-brows<br>
tcp 0 0 192.168.0.100:40558 66.196.121.49:5050 ESTABLISHED 5809/pidgin <br>
tcp 0 0 192.168.0.100:56115 172.227.184.65:443 ESTABLISHED 2705/chromium-brows<br>
tcp 0 0 192.168.0.100:35533 66.196.120.117:5050 ESTABLISHED 5809/pidgin <br>
tcp 0 0 192.168.0.100:57169 64.4.44.81:443 ESTABLISHED 6796/firefox <br>
tcp 0 0 192.168.0.100:58695 198.252.206.25:443 ESTABLISHED 2705/chromium-brows<br>
tcp 0 0 192.168.0.100:43395 213.157.220.180:443 ESTABLISHED 2705/chromium-brows<br>
tcp6 0 0 ::1:631 :::* LISTEN - <br>
tcp6 0 0 :::445 :::* LISTEN - <br>
tcp6 0 0 :::139 :::* LISTEN - <br>
tcp6 0 0 :::111 :::* LISTEN - <br>
tcp6 0 0 :::80 :::* LISTEN - <br>
tcp6 1 0 ::1:33153 ::1:631 CLOSE_WAIT -<br>What are the LISTEN ports and IPs at the beginning and the end? Why are they like 0.0.0.0:* for any ip and any port? What does it mean? What are they used for, exactly, please?
2 Answers
- 631 is used by CUPS (the print service daemon).
- 445 is used by Samba (used to share files with Windows PCs over the network).
- 139 is used by
nmbd, part of the Samba setup. - 25 and 527 are SMTP ports. You have a mail server running on your system.
- 53 is used by the DNS server.
- 111 is used for Remote Procedure Calls. Some services depend on this.
- 80, of course, is the HTTP port.
See the list of standard ports.
The Local Address tells you what interface it is listening on (127.0.0.1 is localhost, and 0.0.0.0 means all interfaces). If a remote system has connected to a port, Foreign Address will show the address of that system, and 0.0.0.0 otherwise.
Listen:
Those lines show services you have running, waiting to be contacted
Established
Network connections that are active
Close_wait
Network connections that are about to being closed
Local address
Services: here you see the local IP-address, where that service is listening and (after a
:) the port it is listening on, with- 127.0.0.1, 127.0.1.1, ::1 (for IPv6): localhost, the loop back interface - those services can only be contacted from your local machine
- 0.0.0.0:xxx, :::xxx : any local address:port-number
active connections: the IP-address and the port used by that special connection
Foreign address
- Services: IP-adresses from where this service can be contacted (0.0.0.0:* = from everywhere, using any remote port)
- active connections: the IP-address and port of the "partner" in the communication
examples
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN: you have a service running, that listens for connections on port 25 (apparently a mail server) only from the local hosttcp 0 0 192.168.0.100:51498 173.194.39.246:443 ESTABLISHED 6796/firefox: Firefox has established a connection to the https port on 173.194.39.246
ports??
Those are just numbers, used to distinguish between connection end point on one machine, no two programs on one machine may use the same port simultaneously.
