IBM Support

Finding which program is using a port in AIX

Troubleshooting


Problem

This solution shows how to determine which process is connected to a socket on an AIX box. This procedure is useful when it's not clear which process on a server is the client that's generating a specific operation in the audit.log

Resolving The Problem

It's not uncommon to find a rogue client operation that causes serious problems for the server. For example, there can be an unidentified client that sends a full subtree search without any filters:

ldapsearch -D <bind_dn> -w <passwd> -b o=ibm,c=us objectclass=*

A search like this, if the specific subtree is large, can cause performance slowdowns that affect other clients adversely. The audit.log if enabled, prints the IP address and port that the client is connected on, however, that's not always enough to identify the client. Here's an example for determining the process that connecting from the local server to ibmslapd on an AIX box:

1. The audit.log entry (note the client: 127.0.0.1:60983 entry):

AuditV3--2007-05-11-11:44:49.595-06:00DST--V3 Bind--bindDN:
cn=root--client: 127.0.0.1:60983--connectionID: 24--received:
2007-05-11-11:44:49.591-06:00DST--Success
controlType: 1.3.6.1.4.1.42.2.27.8.5.1
criticality: false
name: cn=root
authenticationChoice: simple
2. a. If "lsof" command is available on your AIX system (available on AIX expansion pack - check with your AIX administrator), you can use:
root@foo > lsof -P | grep 60983
 
2nd column shows the PID number. Then, go to step 3.

2.b. Using "netstat" with the -A to return the address of the protocol control block.

root@foo > netstat -Aan | grep 60983
f10000f30049b358 tcp4 0 2941 127.0.0.1.389 127.0.0.1.60983 ESTABLISHED
f10000f30049ab58 tcp4 0 0 127.0.0.1.60983 127.0.0.1.389 ESTABLISHED


The first column of output is the protocol control block.

2.c Using "rmsock" with the address of the protocol control block to get the process name and pid:

root@foo > rmsock f10000f30049ab58 tcpcb
The socket 0x49a800 is being held by process 229588 (ldapsearch).


3. Getting more information about the client process:

root@foo > ps -ef | grep 229588 | grep -v grep
root 229588 348370 19 11:44:49 pts/0 0:04 /opt/IBM/ldap/V6.0/bin/64/ldapsearch -D cn=root -w secret -b o=ibm,c=us objectclass=*


All done!

[{"Product":{"code":"SSVJJU","label":"IBM Security Directory Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"}],"Version":"5.2;6.0;6.1;6.2;6.3;6.3.1;6.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
26 September 2022

UID

swg21268786