In the Cent OS 7, I use the netstat -an
to check the network service:
[root@localhost etc]# netstat -an | grep ESTABLISHED
udp 0 0 192.168.1.25:41136 61.216.153.106:123 ESTABLISHED
udp 0 0 192.168.1.25:59141 202.112.29.82:123 ESTABLISHED
udp 0 0 192.168.1.25:53680 115.28.122.198:123 ESTABLISHED
udp 0 0 192.168.1.25:34255 42.51.22.35:123 ESTABLISHED
You can see up there the ephemeral 41136
port. If a service uses port 3306
we can know it is MySQL, if port is 8080
we can know it is Tomcat, but how about the ephemeral ports? how can we know which service is associated with these ports?
Best Answer
As for ephemeral ports:
Looking at the destination on the TCP/IP tuple as in the example you ask:
You can see it is the current machine using an NTP service UDP/123 on a remote server.
Or else, it is your machine doing an NTP request to an NTP server in China.
Actually, all those 4 lines are connections to NTP servers in China.
Usually, with the majority of protocols, when the known port service is on your side (first), you usually are the server receiving the connection, and the ephemeral port is on the right side; when it is the contrary, often it is your server that is using a remote service.
(Is your server in China? If not I would worry about possible malware)
You can also take the out
-n
, for resolving IP addresses/DNS and service names, however be aware that it introduces a noticeable lag in a machine/server with many connections (and/or with a slow DNS service). To have a feel of the difference try, I adapted your originalnetstat
output for a possible output without-n
: