From a trusted installation of netstat, or from a remote scan using nmap you have a list of open ports on a machine. So what daemon/software is responsible for each port?
lsof output looks like this:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME init 1 root cwd DIR 3,66 1024 2 / init 1 root rtd DIR 3,66 1024 2 / init 1 root txt REG 3,66 31432 106384 /sbin/init init 1 root mem REG 3,66 90088 85918 /lib/ld-2.3.2.so init 1 root mem REG 3,66 1244080 85954 /lib/libc-2.3.2.so init 1 root 10u FIFO 3,66 70570 /dev/initctl . . snortsam- 28305 root cwd DIR 3,69 4096 115564 /usr/local/src/snortsam-2.25 snortsam- 28305 root rtd DIR 3,66 1024 2 / snortsam- 28305 root txt REG 3,69 95541 115672 /usr/local/src/snortsam-2.25/snortsam-debug snortsam- 28305 root mem DEL 3,66 85938 /lib/ld-2.3.2.so.dpkg-new snortsam- 28305 root mem DEL 3,66 85955 /lib/libpthread-0.10.so.dpkg-new snortsam- 28305 root mem DEL 3,66 85941 /lib/libc-2.3.2.so.dpkg-new snortsam- 28305 root 0u CHR 136,30 32 /dev/pts/30 snortsam- 28305 root 1u CHR 136,30 32 /dev/pts/30 snortsam- 28305 root 2u CHR 136,30 32 /dev/pts/30 snortsam- 28305 root 3u IPv4 85171520 TCP *:898 (LISTEN) . .Remember that everything in Unix (and Linux) is a file --- including network sockets.
We are interested in files of TYPE IPv4, or, on other versions of lsof, TYPE inet. So:
lsof | egrep "inet|IPv4" ssh 28296 simonh 3u IPv4 85171489 TCP localhost:33450->localhost:ssh (ESTABLISHED) sshd 28297 root 4u IPv4 85171490 TCP localhost:ssh->localhost:33450 (ESTABLISHED) snortsam- 28305 root 3u IPv4 85171520 TCP *:898 (LISTEN) firefox-b 31980 mc 3u IPv4 223586443 TCP localhost:57567->localhost:6012 (ESTABLISHED) t . .The name of the executed file responsible for a corresponding open port is listed on the left.
| ...previous | cont's... |