Find the PID associated with a connection

Sometimes you want to find a Process ID associated with network activity on your system. For example, you may be looking at the sockets in an ESTABLISHED state on your system and you see one that cannot be readily identified to a running process.

# netstat -Aan | grep EST
702f79f0 tcp4   0    0  ESTABLISHED

The remove socket command was designed to provide a means to clean up after an application that did not exit gracefully and left TCP sockets open without associated processes and file descriptors that used them. In development and testing environments, use of rmsock can save valuable time. The rmsock command will not remove a socket that still has a valid file descriptor, but instead returns the identity of the process owner. When we use the rmsock command on the same socket PCB address of 702f79f0, we get the following:

# rmsock 702f79f0 tcpcb

The socket 0x702f7800 is being held by process 8840 (snmpdv3ne). 

Leave a Reply

Your email address will not be published.