Linux – lsof doesn’t show the established TCP connection

linuxlsofnetstattcp

On my system, if I run the netstat for a port, it returns:

$ netstat -nat | grep "60964"
tcp        0      0 192.0.0.1:60964             0.0.0.0:*            LISTEN      
tcp       59      0 192.0.0.1:60964             192.0.0.6:46962      ESTABLISHED

If I run lsof:

$ lsof -i4 | grep "60964"
process_x  2585 root  189u  IPv4  12708      0t0  TCP 192.0.0.1:60964 (LISTEN)

Why is there a difference in the output here? Why isn't lsof detecting the "established" connection.

Thanks!

Edit: I should mention I am the running the above commands as root.

Best Answer

Unlike netstat, lsof requires root privileges in order to print all open ports on system. Although lsof manpage recommends lsof to be installed setuid root on Linux and setgid on BSD and many other Unixes, in fact most installations choose not to do so. (Whether those permissions should be turned on is another question.)

Therefore lsof displays connection for any process executed by current user only. To get a full list of connections, run lsof with root privilege.

Related Solutions

Linux port not accessible from remote machine

My guess is it's a firewall issue. To diagnose, either switch to root or use sudo to execute these commands described below:

Firstly, service iptables status will show you your current rules. Depending on how esoteric your firewall rules are, you may need to add them into the main question to debug but essentially you're looking for a line that accepts TCP port 8800 prior to a line that rejects all connections.

e.g.

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source       destination
...
14   ACCEPT     tcp  --  0.0.0.0/0    0.0.0.0/0      state NEW tcp dpt:8800
15   REJECT     all  --  0.0.0.0/0    0.0.0.0/0      reject-with icmp-host-prohibited

If you don't have a REJECT line on your input chain, then the firewall is probably already turned off.

One way to get around this is obviously to turn off the firewall (service iptables stop) although this defeats the entire purpose of having a firewall.

If you need to add a new firewall rule, you have a couple of options:

Use the excellent Firewall Configuration tool (system-config-firewall) that ships with Fedora and can be found at the System->Administration->Firewall menu item in Gnome.
On the command line, insert a new rule before the REJECT rule by executing the following (uses numbers from my example above): iptables -I INPUT 15 -m state --state NEW -m tcp -p tcp --dport 8800 -j ACCEPT. NOTE that these changes are not permanent and will not persist beyond the next reboot.
Manually edit the /etc/sysconfig/iptables file and add a rule (-A INPUT -m state --state NEW -m tcp -p tcp --dport 8800 -j ACCEPT) to the firewall prior to the REJECT rule. Cycle the firewall service to pick up the changes via a service iptables restart. These changes will be applied every time the firewall service is started.

Is it possible for a TCP connection to remain open when the client has disconnected

TCP makes no effort to detect a dead connection except on a side that is transmitting data. It is the responsibility of the application code calling into the TCP stack to do this. What protocol is involved here? (The one on top of TCP.)

It's a horrifically ugly "solution", but you can enable TCP keepalives. There's more in this article.

Best Answer

Related Solutions

Linux port not accessible from remote machine

Is it possible for a TCP connection to remain open when the client has disconnected

Related Topic