reading TCP connection list from /proc
Clash Royale CLAN TAG#URR8PPP
I'm trying to implement code that enumerate all existing TCP connections per process (similar to netstat -lptn).
I prefer to implement it myself and not to rely on netstat.
In order to do that, I'm parsing data from /proc/<PID>/net/tcp.
I saw that a number of TCP connections are listed under /proc/<PID>/net/tcp but not listed by netstat -lptn command.
Can someone please explain why that happens?
For example I see that /proc/1/net/tcp and /proc/2/net/tcp have several TCP connections (tried on Ubuntu 16).
As I understand, /proc/1/net/tcp is related to the /sbin/init process which should not have any TCP connection.
The /proc/2/net/tcp is related to kthreadd which also should not have any TCP connection.
linux networking netstat proc
asked Jan 16 at 7:07
DimaDima
1133
migrated from serverfault.com Jan 31 at 11:29
This question came from our site for system and network administrators.
add a comment |
I'm trying to implement code that enumerate all existing TCP connections per process (similar to netstat -lptn).
I prefer to implement it myself and not to rely on netstat.
In order to do that, I'm parsing data from /proc/<PID>/net/tcp.
I saw that a number of TCP connections are listed under /proc/<PID>/net/tcp but not listed by netstat -lptn command.
Can someone please explain why that happens?
For example I see that /proc/1/net/tcp and /proc/2/net/tcp have several TCP connections (tried on Ubuntu 16).
As I understand, /proc/1/net/tcp is related to the /sbin/init process which should not have any TCP connection.
The /proc/2/net/tcp is related to kthreadd which also should not have any TCP connection.
linux networking netstat proc
asked Jan 16 at 7:07
DimaDima
1133
migrated from serverfault.com Jan 31 at 11:29
This question came from our site for system and network administrators.
add a comment |
I'm trying to implement code that enumerate all existing TCP connections per process (similar to netstat -lptn).
I prefer to implement it myself and not to rely on netstat.
In order to do that, I'm parsing data from /proc/<PID>/net/tcp.
I saw that a number of TCP connections are listed under /proc/<PID>/net/tcp but not listed by netstat -lptn command.
Can someone please explain why that happens?
For example I see that /proc/1/net/tcp and /proc/2/net/tcp have several TCP connections (tried on Ubuntu 16).
As I understand, /proc/1/net/tcp is related to the /sbin/init process which should not have any TCP connection.
The /proc/2/net/tcp is related to kthreadd which also should not have any TCP connection.
linux networking netstat proc
asked Jan 16 at 7:07
DimaDima
1133
I'm trying to implement code that enumerate all existing TCP connections per process (similar to netstat -lptn).
I prefer to implement it myself and not to rely on netstat.
In order to do that, I'm parsing data from /proc/<PID>/net/tcp.
I saw that a number of TCP connections are listed under /proc/<PID>/net/tcp but not listed by netstat -lptn command.
Can someone please explain why that happens?
For example I see that /proc/1/net/tcp and /proc/2/net/tcp have several TCP connections (tried on Ubuntu 16).
As I understand, /proc/1/net/tcp is related to the /sbin/init process which should not have any TCP connection.
The /proc/2/net/tcp is related to kthreadd which also should not have any TCP connection.
linux networking netstat proc
linux networking netstat proc
asked Jan 16 at 7:07
DimaDima
1133
asked Jan 16 at 7:07
DimaDima
1133
asked Jan 16 at 7:07
DimaDima
1133
asked Jan 16 at 7:07
DimaDima
1133
asked Jan 16 at 7:07
DimaDima
1133
1133
migrated from serverfault.com Jan 31 at 11:29
This question came from our site for system and network administrators.
migrated from serverfault.com Jan 31 at 11:29
This question came from our site for system and network administrators.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
There are many misunderstandings in your approach. I'll go over them one by one.
- Sockets are not associated with a specific process. When a socket is created its reference count is 1. But through different methods such as
dup2,fork, and file descriptor passing it's possible to create many references to the same socket causing its reference count to increase. Some of these references can be from an open file descriptor table, which itself can be used by many threads. Those threads may belong to the same thread group (PID) or different thread groups. When you use the-pflag fornetstatit will enumerate the sockets accessible to each process and try to find a process for each known socket. If there are multiple candidate processes, there is no guarantee that it shows the process you are interested in. /proc/<PID>/net/tcpdoes not only list sockets related to that process. It lists all TCPv4 sockets in the network namespace which that process belongs to. In the default configuration all processes on the system will belong to a single network namespace, so you'll see the same result with any PID. This also explains why a thread/process which doesn't use networking has contents in this file. Even if it doesn't use networking itself it still belongs to a network namespace in which other processes may use networking./proc/<PID>/net/tcpcontains both listening and connected sockets. When you pass-ltonetstatit will show you only listening sockets. To match the output closer you'd need-arather than-l./proc/<PID>/net/tcpcontains only TCPv4 sockets. You need to use/proc/<PID>/net/tcp6as well to see all TCP sockets.
If you are only interested in sockets in the same namespace as your own process you don't need to iterate through different PIDs. You can instead use /proc/net/tcp and /proc/net/tcp6 since /proc/net is a symlink to /proc/self/net.
answered Jan 16 at 7:41
kasperdkasperd
2,45011127
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f497912%2freading-tcp-connection-list-from-proc%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
There are many misunderstandings in your approach. I'll go over them one by one.
- Sockets are not associated with a specific process. When a socket is created its reference count is 1. But through different methods such as
dup2,fork, and file descriptor passing it's possible to create many references to the same socket causing its reference count to increase. Some of these references can be from an open file descriptor table, which itself can be used by many threads. Those threads may belong to the same thread group (PID) or different thread groups. When you use the-pflag fornetstatit will enumerate the sockets accessible to each process and try to find a process for each known socket. If there are multiple candidate processes, there is no guarantee that it shows the process you are interested in. /proc/<PID>/net/tcpdoes not only list sockets related to that process. It lists all TCPv4 sockets in the network namespace which that process belongs to. In the default configuration all processes on the system will belong to a single network namespace, so you'll see the same result with any PID. This also explains why a thread/process which doesn't use networking has contents in this file. Even if it doesn't use networking itself it still belongs to a network namespace in which other processes may use networking./proc/<PID>/net/tcpcontains both listening and connected sockets. When you pass-ltonetstatit will show you only listening sockets. To match the output closer you'd need-arather than-l./proc/<PID>/net/tcpcontains only TCPv4 sockets. You need to use/proc/<PID>/net/tcp6as well to see all TCP sockets.
If you are only interested in sockets in the same namespace as your own process you don't need to iterate through different PIDs. You can instead use /proc/net/tcp and /proc/net/tcp6 since /proc/net is a symlink to /proc/self/net.
answered Jan 16 at 7:41
kasperdkasperd
2,45011127
add a comment |
There are many misunderstandings in your approach. I'll go over them one by one.
- Sockets are not associated with a specific process. When a socket is created its reference count is 1. But through different methods such as
dup2,fork, and file descriptor passing it's possible to create many references to the same socket causing its reference count to increase. Some of these references can be from an open file descriptor table, which itself can be used by many threads. Those threads may belong to the same thread group (PID) or different thread groups. When you use the-pflag fornetstatit will enumerate the sockets accessible to each process and try to find a process for each known socket. If there are multiple candidate processes, there is no guarantee that it shows the process you are interested in. /proc/<PID>/net/tcpdoes not only list sockets related to that process. It lists all TCPv4 sockets in the network namespace which that process belongs to. In the default configuration all processes on the system will belong to a single network namespace, so you'll see the same result with any PID. This also explains why a thread/process which doesn't use networking has contents in this file. Even if it doesn't use networking itself it still belongs to a network namespace in which other processes may use networking./proc/<PID>/net/tcpcontains both listening and connected sockets. When you pass-ltonetstatit will show you only listening sockets. To match the output closer you'd need-arather than-l./proc/<PID>/net/tcpcontains only TCPv4 sockets. You need to use/proc/<PID>/net/tcp6as well to see all TCP sockets.
If you are only interested in sockets in the same namespace as your own process you don't need to iterate through different PIDs. You can instead use /proc/net/tcp and /proc/net/tcp6 since /proc/net is a symlink to /proc/self/net.
answered Jan 16 at 7:41
kasperdkasperd
2,45011127
add a comment |
There are many misunderstandings in your approach. I'll go over them one by one.
- Sockets are not associated with a specific process. When a socket is created its reference count is 1. But through different methods such as
dup2,fork, and file descriptor passing it's possible to create many references to the same socket causing its reference count to increase. Some of these references can be from an open file descriptor table, which itself can be used by many threads. Those threads may belong to the same thread group (PID) or different thread groups. When you use the-pflag fornetstatit will enumerate the sockets accessible to each process and try to find a process for each known socket. If there are multiple candidate processes, there is no guarantee that it shows the process you are interested in. /proc/<PID>/net/tcpdoes not only list sockets related to that process. It lists all TCPv4 sockets in the network namespace which that process belongs to. In the default configuration all processes on the system will belong to a single network namespace, so you'll see the same result with any PID. This also explains why a thread/process which doesn't use networking has contents in this file. Even if it doesn't use networking itself it still belongs to a network namespace in which other processes may use networking./proc/<PID>/net/tcpcontains both listening and connected sockets. When you pass-ltonetstatit will show you only listening sockets. To match the output closer you'd need-arather than-l./proc/<PID>/net/tcpcontains only TCPv4 sockets. You need to use/proc/<PID>/net/tcp6as well to see all TCP sockets.
If you are only interested in sockets in the same namespace as your own process you don't need to iterate through different PIDs. You can instead use /proc/net/tcp and /proc/net/tcp6 since /proc/net is a symlink to /proc/self/net.
answered Jan 16 at 7:41
kasperdkasperd
2,45011127
There are many misunderstandings in your approach. I'll go over them one by one.
- Sockets are not associated with a specific process. When a socket is created its reference count is 1. But through different methods such as
dup2,fork, and file descriptor passing it's possible to create many references to the same socket causing its reference count to increase. Some of these references can be from an open file descriptor table, which itself can be used by many threads. Those threads may belong to the same thread group (PID) or different thread groups. When you use the-pflag fornetstatit will enumerate the sockets accessible to each process and try to find a process for each known socket. If there are multiple candidate processes, there is no guarantee that it shows the process you are interested in. /proc/<PID>/net/tcpdoes not only list sockets related to that process. It lists all TCPv4 sockets in the network namespace which that process belongs to. In the default configuration all processes on the system will belong to a single network namespace, so you'll see the same result with any PID. This also explains why a thread/process which doesn't use networking has contents in this file. Even if it doesn't use networking itself it still belongs to a network namespace in which other processes may use networking./proc/<PID>/net/tcpcontains both listening and connected sockets. When you pass-ltonetstatit will show you only listening sockets. To match the output closer you'd need-arather than-l./proc/<PID>/net/tcpcontains only TCPv4 sockets. You need to use/proc/<PID>/net/tcp6as well to see all TCP sockets.
If you are only interested in sockets in the same namespace as your own process you don't need to iterate through different PIDs. You can instead use /proc/net/tcp and /proc/net/tcp6 since /proc/net is a symlink to /proc/self/net.
answered Jan 16 at 7:41
kasperdkasperd
2,45011127
answered Jan 16 at 7:41
kasperdkasperd
2,45011127
answered Jan 16 at 7:41
kasperdkasperd
2,45011127
answered Jan 16 at 7:41
kasperdkasperd
2,45011127
2,45011127
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f497912%2freading-tcp-connection-list-from-proc%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown