Networking Notes—The Process Status Command, NETSTAT, & LSOF

The PS Command

ps—the process status command, is used to provide info about currently running processes, including their process identification numbers (PID’s). A process, also referred to as a task, is an executing (running) instance of a program. Every process is assigned a unique PID by the system.

The basic syntax is: ps [options]

ex: ps -aux

PS results in 4 items: PID, TTY (‘Terminal Type’, or ‘teletype’, TIME, & CMD.

The ‘-aux’ parameter combinations shows:

‘-a’ option shows all user processes; ‘-a’ option tells ps to list the processes of all users on the system rather than just those of the current user, with the exception of group leaders and processes not associated with the terminal. A group leader is the first member of a group of related processes.

The ‘-u’ option tells ps to provide detailed information about each process.

The ‘-x’ option adds to the list processes that have no controlling terminal.

The ‘-top’ command is a useful alternative to ‘ps’, & available on many systems.

netstat—One of the most useful & diverse utilities is netstat. This program reports the contents of kernel data structures related to networking. One use of netstat is to display the connections & services available on a host.

netstat (network statistics) is a command-line network utility that displays network connections for Transmission Control Protocol (both incoming & outgoing), routing tables, & a number of network interface & network protocol statistics.

The first column ‘Proto’ gives the protocol. The next two columns give the sizes of the send & receive queues. These should be 0 or near 0. Otherwise, there may be a problem with that particular service.

netstat is used for finding problems in the network & to determine the amount of traffic on the network as a performance measurement.

Netstat provides statistics for the following:

• Proto—the name of the protocol (TCP or UDP)
  • TCP—Transmission Control Protocol is one of the main protocols of the Internet protocol suite.
  • UDP—User Datagram Protocol is one of the core members of the Internet protocol suite.
• Receive & Send Queues—“Recv -Q” & “Send -Q”. Again, these should be zero or near 0. Otherwise, there may be a pattern with that particular service.
• Local Address—the IP address of the local computer and the port number being used. The name of the local computer that corresponds to the IP address & the name of the port is shown unless the ‘-n’ parameter is specified. (An asterisk * is shown for the host if the server is listening on all interfaces. If the port is not yet established, the port number is shown as an asterisk.
• Foreign Address—the IP address & port number of the remote computer to which the socket is connected. The names that corresponds to the IP address and the port are shown unless the ‘-n’ parameter is specified. If the port is not yet established, the port number is shown as an asterisk. These two columns (local & foreign address) give the socket or IP address and port number for each end of a connection. This socket pair uniquely identifies one connection. The socket is presented in the form ‘hostname.service’.
• State—Finally, the state of the connection is given in the last column for TCP services. (Note that this will be blank for UDP since it is connectionless.).
  • The most common states are:
    • ESTABLISHED for current connections
    • LISTEN for services awaiting a connection, and
    • TIME_WAIT for recently terminated connections
    • (Any of the TCP states could show up, but you should rarely see the others. An excessive number of ‘SYN_RECEIVED’ for example, is an indication of a problem, (possibly a denial-of-service attack).

*lsof—lists open files on a Unix system. ‘lsof’ is a remarkable tool that is often overlooked. Written by Victor Abel, ‘lsof’ lists open files on a Unix system. This might not seem a particularly remarkable service until we start thinking about the implications.

An application that uses that file system, networked or otherwise, will have open files at some point. ‘lsof’ offers a way to track that activity.

Note: More uses can be found in the ‘lsof’ manpage, the FAQ, & a quick-start guide.