Use the "lsof" command. lsof stands for LiSt Open Files. lsof can save you a lot of time and hassle if you are just checking on the status of your machine, but more importantly can give you valuable information and point you in the right direction when troubleshooting what exactly your machine is up to. Most are familiar with the command ‘netstat’ which provides a wealth of information about your network sockets. But the name implies exactly what it is good at: revealing information about your network sockets.
lsof takes it a notch further. Linux treats most everything as a file. Sockets, devices, directories, etc, can all be viewed as files. When a process or application interacts with these files it has to "open" them if you will. Using this command you can delve into and see what your system is up to. Checking out the man pages on lsof (#man lsof) is a great start to see how to explore the current "goingson" of your box. Some examples are included to show you the power and wealth of information from this little lister.
It’s a great tool for administrators.
Show all open TCP files – Will return what service is running, who is running it, the process ID and the connections on all TCP ports:
# lsof -i TCP
Show open TCP files on port 80 –
# lsof -i TCP:80 returns --> httpd2-wo 7010 wwwrun 3u IPv6 14787 TCP *:http (LISTEN)
Show open LDAP connections on TCP –
# lsof -i TCP:636
Want to know what files are open by a particular command (substitute your command after the c, and yes you can abbreviate it matches the closest command)-
# lsof -c mysq returns --> mysqld 991 admin cwd DIR 8,3 240 148743 /home/admin/novell/idm/mysql/data mysqld 991 admin rtd DIR 8,3 536 2 / mysqld 991 admin txt REG 8,3 5464060 148691 /home/admin/novell/idm/mysql/bin/mysqld mysqld 991 admin 0r CHR 1,3 41715 /dev/null mysqld 991 admin 1w REG 8,3 1250 149954 /home/admin/novell/idm/mysql/mysql.log mysqld 991 admin 2w REG 8,3 1250 149954 /home/admin/novell/idm/mysql/mysql.log mysqld 991 admin 3u IPv4 86990 TCP *:63306 (LISTEN)...
Want to know what files are open by a particular device?
#lsof /dev/cdrom returns --> bash 30904 admin cwd DIR 3,0 2048 63692 /media/cdrecorder/linux/user_application_provisioning
You can change TCP to UDP and narrow down your requests to very specific items you want to target (i.e. is there an established connection from xyz.somesite.com?).
# lsof -i TCP@192.168.0.2:636 (lists LDAP connections to my server) returns --> java 890 root 18u IPv6 8365030 TCP myserver.somecompany.com:42936->myserver.somecompany.com:ldaps (ESTABLISHED) ndsd 6520 root 262u IPv4 8390927 TCP myserver.somecompany.com:ldaps->myserver.somecompany.com:43123 (ESTABLISHED)