Ubuntu – Check which process has open SCTP port in Linux

networkingUbuntu

Using Ubuntu Server 16. Something on my machine has an SCTP port open, and I need to find it and kill it (without rebooting).

lsof doesn't show SCTP sockets, only TCP and UDP.

I'm looking through all these network utilities, and SCTP support is surprisingly scarce for such an old standard. I got netstat to work with SCTP by building the bleeding edge net-tools from here. sudo netstat --sctp -tulpn shows some open SCTP connections but doesn't say which process has them. It only shows the PIDs for UDP and TCP sockets.

Best Answer

Sort of a hacky roundabout way but it seems to work for me. Hoping someone will find a better way, but my first thoughts (ss/netstat) don't seem to acknowledge SCTP.

First, use procfs to find the inode of the sctp connection:

$ cat /proc/net/sctp/eps
 ENDPT     SOCK   STY SST HBKT LPORT   UID INODE LADDRS
b6d72780 a8903800 2   10  48   123       0 1895802 0.0.0.0

Take that inode (1895802 in my example) and use lsof to find who owns it:

$ lsof -R | grep 1895802
socat      8697        2045             root    5u     sock    1895802      0t0       SCTP ENDPT: b6d72780 0.0.0.0[123]

As you can see, I was using socat to make a socket listening on 123/sctp. 8697 is the pid.

Related Solutions

TCP – Troubleshooting TCP Issues on a Linux Laptop

In the capture you provided, the Time Stamp Echo Reply in the SYN-ACK in the second packet doesn't match the TSVal in the SYN in the first packet and is a few seconds behind.

And see how all the TSecr sent by both 173.194.70.108 and 209.85.148.100 are all the same and irrelevant from the TSVal you send.

It looks like there's something that mingles with the TCP timestamps. I have no idea what may be causing that, but it sounds like it is outside your machine. Does rebooting the router help in this instance?

I don't know if it's what's causing your machine to send a RST (on the 3rd packet). But it definitely doesn't like that SYN-ACK, and it's the only thing wrong I can find about it. The only other explanation I can think of is if it's not your machine that is sending the RST but given the time difference between the SYN-ACK and RST I would doubt so. But just in case, do you use virtual machines or containers or network namespaces on this machine?

You could try disabling TCP timestamps altogether to see if that helps:

sudo sysctl -w net.ipv4.tcp_timestamps=0

So, either those sites send bogus TSecr or there's something on the way there (any router on the way, or transparent proxy) that mangles either the outgoing TSVal or the incoming TSecr, or a proxy with a bogus TCP stack. Why one would mangle the tcp timestamps I can only speculate: bug, intrusion detection evasion, a too-smart/bogus traffic shaping algorithm. That's not something I've heard of before (but then I'm no expert on the subject).

How to investigate further:

See if the TPLink router is to blame why resetting it to see if that helps or capture the traffic on the outside as well if possible to see if it does mangle the timestamps
Check whether there's a transparent proxy on the way by playing with TTLs, looking at request headers received by web servers or see behaviour when requesting dead websites.
capture traffic on a remote web server to see if it's the TSVal or TSecr that is mangled.

Accounting for /proc/net/dev reported traffic

When dealing with applications that are using up network bandwidth the best tool I've come across for tying back utilization to specific apps has got to be nethogs.

You can use ip link show or netstat -i to find out your network interface names.

$ netstat -i
Kernel Interface table
Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
em1       1500        0      0      0 0             0      0      0      0 BMU
lo       65536    81375      0      0 0         81375      0      0      0 LRU
virbr0    1500        0      0      0 0             0      0      0      0 BMU
wlp3s0    1500  2264942      0      0 0       2376236      0      0      0 BMRU

My wireless on my Fedora 19 laptop is wlp3s0, so we tell nethogs to watch that:

$ sudo nethogs wlp3s0

As you let nethogs run it will start to show you the applications that are consuming your network bandwidth.

Best Answer

Related Solutions

TCP – Troubleshooting TCP Issues on a Linux Laptop

Accounting for /proc/net/dev reported traffic

Related Question