Jump to content

Check Open Ports on FreeBSD


Linux Hint

Recommended Posts

In this tutorial, you’ll learn how to check open ports on FreeBSD using a handy command-line tool called Sockstat.

Sockstat is an all-around command-line utility that comes included with FreeBSD. It sees immense use in examining network connections and open sockets. In FreeBSD, it lists the names and status of the background and foreground processes that have caused a network port to unlock. You can even customize it to arrange the communication socket lists on connection status, IP versions, what ports are being listened to by specific programs, etc., and simplify the results based on socket ownership and descriptors for the communication sockets. With Sockstat, you can also see all the intricate details on each of the Unix domain sockets/IPC. An apt move would is to integrate sockstat with the grep filter to triple its functionality and get the most out of it.

Let’s look at some of the neat stuff we can pull off with Sockstat on FreeBSD.

List the working Ports on FreeBSD with Sockstat

The Sockstat command lists all of the sockets that are currently opened in a FreeBSD system. Type in the sockstat command unappended with any of the flags or options to see the list of open sockets:

$ sockstat

word-image-18.jpeg

Let’s take a moment and go over what each of the column labels in the output means. The first column from the left is labeled USERS, and it lists all the user accounts(roots, mysql) to which each socket belongs to. The second column header is COMMAND, and this column header lists all the commands that had set each socket to open. The PID column and FD columns list the process IDs and file descriptors, respectively, of the sockets. The column headed PROTO displays all the socket types transport protocols linked to each opened port. The last two columns are the Local Address and Foreign Address. The first of these two lists the local IP address for each open socket. Whereas the latter indicates what IP addresses are linked to each of these sockets.

List specific versions of Opened Ports in FreeBSD

To list opened sockets with a specific protocol version only, for example, the Ipv4 version, add a -4 flag to the end of the sockstat command:

$ sockstat -4

word-image-19.jpeg

You can also have it present a list of other versions similarily, for example

$ sockstat -6

word-image-20.jpeg

Should display all the sockets with IPv6.

List the open sockets based on TCP/UDP in FreeBSD

Add the –P flag to the sockstat command to have the list of open sockets presented based on TCP or UDP. You’ll also need to add the protocol’s argument name to the command, which you can look up by heading over to /etc/protocols file and checking the file there. To have only TCP based sockets, type in the following command:

$ sockstat -P tcp

Similarly, you can shortlist based on UDP:

$ sockstat -P udp

These two can be linked together very simply:

$ sockstat -P tcp,udp

word-image-21.jpeg

As of yet, sockstat doesn’t extend its support to the ICMP protocol.

Display sockets with specific Port Numbers

To see all the opened sockets, both TCP and UDP, while having the list arranged based on port numbers(both local and otherwise), type in the sockstat command with appropriate flags:

$ sockstat -P tcp -p 443
$ sockstat -P udp -p 53
$ sockstat -P tcp -p 443,53,80,21

word-image-22.jpeg

In the above commands, the first one shows the TCP HTTPS Port, the second one the UDP DNS Ports, while the third one shows both.

See the open ports being listened to on FreeBSD

With the -l flag added to the sockstat command, you will be presented open socket that is currently listening through the protocol suite and all the opened UNIX domain sockets as well as any named pipes.

$ sockstat -l

word-image-23.jpeg

List the ports actively listening on the network

Add the -l and -s flags to the sockstat command to have the open TCP ports arranged by their listening status.

$ sockstat -46 -l -s

word-image-25.jpeg

UDP cannot be displayed being a non-network protocol, thus retaining no data on listening status.

Arrange open ports by the app/command using them

Here’s comes the part where pairing Sockstat command with grep utility comes in handy; with grep utility, you can have the open ports listed by the applications currently in the process of using them.

The command you’d use to list the open ports linked particularly with the ntpd server is:

$ sockstat -46 | grep ntpd

word-image-27.jpeg

You can make the listing more specific by having it only display the connected sockets by adding the -c flag to the above command:

$ sockstat -46 -c| grep ntpd

word-image-29.jpeg

Display all Unix Sockets

Have all the Unix domain sockets listed by adding u- a flag to the sockstat command:

$ sockstat -u

word-image-31.jpeg

This should also display the named pipes along with the Unix Sockets.

Arrange open ports by HTTPS Connected Protocols

To have the list displayed by the HTTPS protocol for each socket, use the command below:

$ sockstat -46 -s -P TCP -p 443 -c

word-image-33.jpeg

List HTTP Remote Sockets

You can also list all of the remote sockets currently using the HTTP protocol. Run either one of the following commands in the terminal:

$ sockstat -46 -c | egrep '80|443' | awk '{print $7}' | uniq -c | sort -nr
$ sockstat -46 -c -p 80,443 | grep -v ADDRESS|awk '{print $7}' |
uniq -c | sort -nr

word-image-35.jpeg

Find the number of times an IP address sent requests

To find out how many connection requests have been received from each IP address, you can run the following command:

$ sockstat -46 -c | egrep '80|443' | awk '{print $7}' | cut -d: -f1 | uniq -c | sort -n

word-image-37.jpeg

By determining if there’s an unusually high number of connection requests sent by an IP address, you can identify that there’s some malicious intent and can positively enter the yellow alert and take the appropriate safety protocols.

Send a DNS query from TCP socket

You can send a DNS query using the TCP socket on the console, provided that the network is free of any DNS traffic. Run the command below:

$ dig +tcp www.domain.com @127.0.0.1

Wrapping up

So, you’ve learned a whole lot about using the sockstat command and its variations with flags and switches. You also saw how it is used in different ways to present the network diagnostics in different preferences and use this information to perform multifaceted troubleshooting in FreeBSD. That’s a whole lot in itself, but now that you’re familiar with this stuff, you should consider incorporating the sockstat command line with some powerful command-line tools, such as netstat and Isof.

View the full article

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...