Giving a meaning to port scans

I am a strong advocate of judgment being the best anti-virus, anti-trojan, anti-worm and anti-etc, but when it comes to protection against intrusion well, judgement cannot be of any help, so I put my trust in firewalls. However, I have lately seen many of my 8-thoushandish (8000, 8001, 8002) ports that I use for development http servers being taken by unknown programs.

In order to identify the culprits, I portscanned all my interfaces (you can do that with nmap) in order to find the associated protocols in the hope that this would give me hints on what processes are to blame. Turns out portscans just give you the name of the protocol that is registed with that port through IANA, which gives you no guaranty the process bound to this port is using that particular protocol (I momentarily had forgotten that TCP and UDP do not care for what they transport). For instance, 8000 is reserved for irdmi, which seems to be lost technology as no ones has clue on what the hell its for.

The commands that are actually needed to find what process owns what port under *nix OSes (beside netstat, whose output I find painful to read) is lsof (list open files):

sudo lsof -i | grep “number of port”

or

sudo lsof -i | grep “protocol name”

If the port has an associated protocol, lsof will use the name of the protocol instead of the number. The output you get, when not piping to grep of course, is a list of every file (ports, sockets, ttys,, RS-232, etc are considered files by *nix OSes) open on your system with the number and name of the process that owns it.

So in the end, 8000 and 8002 belonged to eclipse while 8001 was Camino’s.

Leave a Reply

Your email address will not be published. Required fields are marked *