lsof – Understanding ‘sock’ Lines in lsof Output

This line is displayed when lsof cannot find additional informations on the TCP socket: it knows it's a TCP socket but not more.

There are two reasons I can think of:

• Unlikely: the socket is still not listening nor connecting: ie a server or client used for example socket(AF_INET, SOCK_STREAM, 0) to create a TCP socket but didn't call yet listen(2) or connect(2). This could be caused by lack of resources or a buggy software.

• Most likely today: the process seen by lsof runs in an other network namespace, typically in a container (Docker, LXC, LXD ...) and thus lsof doesn't have access to the relevant information and doesn't display it.

  You should then run lsof from the same network namespace as the process. The lsns and nsenter commands can greatly help for this. For your case this would then probably work:

    nsenter -t 829 --net lsof -n -p 829
  

In normal cases lsof would display IPv4 or IPv6 instead of sock and would have additional informations, like listening port or addresses involved. Even a connection still ongoing would be displayed with the addresses involved and for example SYN_SENT.