{"id":596,"date":"2012-09-25T23:10:07","date_gmt":"2012-09-25T23:10:07","guid":{"rendered":"https:\/\/trouble.org\/?p=596"},"modified":"2012-09-25T23:10:07","modified_gmt":"2012-09-25T23:10:07","slug":"lsof-lite-iiii","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=596","title":{"rendered":"lsof lite I\/III"},"content":{"rendered":"

After beating on some really anemic linux installations that had… well, just about nothing installed (one didn’t have “tr”, one didn’t have “df”, etc… come on, that’s pretty sad ;)), I decided to start writing some shell scripts in very, very basic shell (you can do a lot with shell, awk, and sed!)<\/p>\n

Here’s one that while not perfect, at least seems to work (so far!) – I <3 lsof<\/a>, but it turns out you can get a bit of its functionality via \/proc (plus it saved me from cursing more at the stupid people who made it so fucking difficult to make a cross compiled frickin’ static binary.) Here’s one that shows all the network connections and tries to show the pid associated with them. I didn’t bother trying to make it really work, hoping that I’d stop fooling around with these damn things, but it was useful enough to post. It currently also doesn’t distinguish on the interface, so ports open on 127.0.0.1, say, are listed. That said, try doing this by hand, esp without netstat -p, lsof, nn, and all the other billion tools that do this for you. Bleah.<\/p>\n

Ouput looks something like:<\/p>\n

[WPCM450 ~]$ .\/lsof-net-pid.sh
\ncollecting port data...
\nmachine is listening on:
\ntcp:     8195   1317 = \/usr\/local\/bin\/guiDataServer
\n        1391 = \/usr\/local\/bin\/guiDataServer
\n        1392 = \/usr\/local\/bin\/guiDataServer
\n        3925 = \/usr\/local\/bin\/guiDataServer
\ntcp:     5988   1162 = \/sbin\/sfcbd -d
\ntcp:     22 1263 = \/sbin\/sshd -g 60
\ntcp:     22 6536 = sshd: root@pts\/0
\n[...]<\/div><\/div>\n

Script below. Blindingly fast on a real system, dog slow on a BMC, say :) Should be sorted, should be not necessary, too.<\/p>\n

:
\n
\n#<\/span>
\n# busybox - find network ports being listened to by pid<\/span>
\n#<\/span>
\n
\nfd<\/span>="\/proc\/*\/fd"<\/span>
\n
\n#<\/span>
\n# list of all the stuff everyone is listening to<\/span>
\n#<\/span>
\necho<\/span> "collecting port data..."<\/span>
\n
\n# slooow... jumping through more hoops than michael jordon.. ls will produce lines like:<\/span>
\n#<\/span>
\n# [...]<\/span>
\n# \/proc\/1261\/fd:<\/span>
\n# \/proc\/1262\/fd:<\/span>
\n# \/proc\/1263\/fd:<\/span>
\n#  0 lrwx------    1 root     root           64 Sep 25 15:03 3 -> socket:[4535]<\/span>
\n# [...]<\/span>
\n#<\/span>
\n# this will have matching pairs of pid's & inodes of sockets<\/span>
\n#<\/span>
\n# grab the line before the match as the pid, since ls won't say what is going on<\/span>
\n# and find won't work on this<\/span>
\n#<\/span>
\nall_sox<\/span>=`<\/span>ls<\/span> -asl<\/span> \/<\/span>proc\/<\/span>[<\/span>0<\/span>-9<\/span>]<\/span>*\/<\/span>fd 2<\/span>><\/span> \/<\/span>dev\/<\/span>null |<\/span> egrep<\/span> 'socket:|fd'<\/span> |<\/span>  awk<\/span> '{ if (\/fd:\/) { split($1,fd,"\/"); } if (\/socket\/) print fd[3], $NF ; }'<\/span> |<\/span> sed<\/span> -e<\/span> 's\/socket:\\[\/\/'<\/span> -e<\/span> 's\/\\]\/\/'<\/span>`<\/span>
\n
\necho<\/span> "machine is listening on:"<\/span>
\ngrep<\/span> -v<\/span> local_address \/<\/span>proc\/<\/span>net\/<\/span>?[<\/span>cd<\/span>]<\/span>p*<\/span> |<\/span> awk<\/span> '{print $1, $3, $11}'<\/span> |<\/span> while<\/span> read<\/span> proto port inode ; do<\/span>
\n   if<\/span> [<\/span> "X$proto<\/span>"<\/span> !<\/span>= "X"<\/span> ]<\/span> ; then<\/span>
\n   
\n     # echo "$proto, $port, $inode"<\/span>
\n   
\n     echo<\/span> -n<\/span> $proto<\/span> |<\/span> sed<\/span> -e<\/span> 's@^.*net\/@@'<\/span> -e<\/span> 's\/:\/\/'<\/span>
\n     echo<\/span> -n<\/span> ":"<\/span>
\n     
\n     #<\/span>
\n     # more busybox hoop jumping... sometimes like ice skating with roller skates<\/span>
\n     #<\/span>
\n     # the amazing sed+ stuff courtesy of http:\/\/stackoverflow.com\/questions\/3675012\/hex-to-dec-con<\/span>
\n     #<\/span>
\n     echo<\/span> $port<\/span> |<\/span> awk<\/span> -F: '{print $2}'<\/span> |<\/span> sed<\/span> 's,\\(..\\)\\(..\\)\\(..\\)\\(..\\),\\4\\3\\2\\1,g'<\/span> |<\/span> (<\/span>read<\/span> hex; echo<\/span> -en<\/span> "\\t<\/span>"<\/span> $(<\/span>(<\/span> 0x${hex}<\/span> )<\/span>)<\/span>)<\/span>
\n
\n     if<\/span> [<\/span> "X$inode<\/span>"<\/span> !<\/span>= "X"<\/span> ]<\/span> ; then<\/span>
\n
\n        pid<\/span>=`<\/span>echo<\/span> "$all_sox<\/span>"<\/span> |<\/span> grep<\/span> " $inode<\/span>"<\/span>`<\/span>
\n
\n# fd=`ls -asl \/proc\/[0-9]*\/fd 2> \/dev\/null | egrep 'socket:\\[4535\\]|fd' |  awk '{ if (\/fd:\/) { split($1,fd,"\/"); } if (\/socket\/) print "FD: ", fd[3]; }'`<\/span>
\n
\n        if<\/span> [<\/span> "X$pid<\/span>"<\/span> == "X"<\/span> ]<\/span> ; then<\/span>
\n           echo<\/span> -e<\/span> "\\t<\/span>*** can't find process for inode $inode<\/span> ***"<\/span>
\n        else<\/span>
\n
\n           matching_pids<\/span>=`<\/span>echo<\/span> "$pid<\/span>"<\/span> |<\/span> awk<\/span> '{ pids=sprintf("%s %s", pids, $1);} END { print pids }'<\/span>`<\/span>
\n 
\n           # echo "MATCHING: $matching_pids"<\/span>
\n   
\n           spacing<\/span>="\\\\t<\/span>"<\/span>
\n           for<\/span> p in<\/span> $matching_pids<\/span> ; do<\/span>
\n              if<\/span> [<\/span> -f<\/span> \/<\/span>proc\/<\/span>$p<\/span>\/<\/span>cmdline ]<\/span> ; then<\/span>
\n                 name<\/span>=`<\/span>tr<\/span> '\\000'<\/span> " "<\/span> <<\/span>  \/<\/span>proc\/<\/span>$p<\/span>\/<\/span>cmdline |<\/span> sed<\/span> 's\/ *$\/\/'<\/span> `<\/span>
\n              else<\/span>
\n                 name<\/span>="?"<\/span>
\n              fi<\/span>
\n              echo<\/span> -e<\/span> "$spacing<\/span>$p<\/span> = $name<\/span>"<\/span>
\n              spacing<\/span>="\\\\t<\/span>\\\\t<\/span>"<\/span>
\n           done<\/span>
\n
\n         fi<\/span>
\n      else<\/span>
\n         echo<\/span> "no inode found associated with port $port<\/span>"<\/span>
\n      fi<\/span>
\n   fi<\/span>
\n   done<\/span><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"

After beating on some really anemic linux installations that had… well, just about nothing installed (one didn’t have “tr”, one didn’t have “df”, etc… come on, that’s pretty sad ;)), I decided to start writing some shell scripts in very, very basic shell (you can do a lot with shell, awk, and sed!) Here’s one […]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31,154,4,6],"tags":[158,157,334,155,156],"class_list":["post-596","post","type-post","status-publish","format-standard","hentry","category-code","category-ipmi-2","category-security","category-tech","tag-bmc","tag-busybox","tag-hack","tag-lsof","tag-shell"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/596","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=596"}],"version-history":[{"count":6,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/596\/revisions"}],"predecessor-version":[{"id":616,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/596\/revisions\/616"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=596"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=596"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=596"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}