IBM Support

Using kdb to determine which process is using a port

Question & Answer


Question

How to use kdb to determine what process is using a port?

Answer

There are times when rmsock and lsof will not be able to display the process that is using a port.

An example of rmsock output where it cannot identify the process:
# rmsock f1000e00000fe3b8 tcpcb
The socket 0xf1000e00000fe008 is being held by Kernel/Kernel Extension.

Running a basic 'sockinfo' in kdb will not display the process as well.

Here are the steps on how to use kdb to find which process is using a port:

1) Find the control block address of desired port
In this example, the sample port is 32833/TCP.

# netstat -aAn | grep 32833
f1000e00000fe3b8 tcp 0 0 *.32833 *.* LISTEN

Note the PCB address is "f1000e00000fe3b8".

2) Use kdb to find process using the port

You will run the following commands in kdb prompt.
a) This command returns the socket address
sockinfo <pcb addr> tcpcb | grep INFO

b) This command displays next 60 lines starting at socket address
dd <sock addr> 60

Here is an example:
# kdb
(0)> sockinfo f1000e00000fe3b8 tcpcb | grep INFO
-------- TCB --------- INPCB INFO ----(@ F1000E00000FE2A0)----
---- SOCKET INFO ----(@ F1000E00000FE008)----
(0)> dd F1000E00000FE008 60
F1000E00000FE008: 0001010600008080 F1000E00000FE2A0 ................
F1000E00000FE018: 0000000004603560 F1000E0001651280 .....`5`.....e..
F1000E00000FE028: 0000000000000000 0000000000000000 ................
... deleted for brevity ...
F1000E00000FE248: 0000000000000000 FFFFFFFFFFFFFFFF ................
F1000E00000FE258: 0000000000000000 0000000000690086 .............i..
F1000E00000FE268: 00000000012E0095 0000000000000000 ................
F1000E00000FE278: 0000000000000000 0000000000000000 ................
(0)> more (^C to quit) ?

The line that contains the process ID will have an address that is +250 from the socket address.

In our example:
socket address = F1000E00000FE008
F1000E00000FE008 + 0x250 = F1000E00000FE258

So the line of interest:
F1000E00000FE258: 0000000000000000 0000000000690086 .............i..

The PID is the number in the third column -- 690086 -- in hex.

Find the process name in kdb:
(0)> p * | grep 690086
pvproc+01A400 105 rpc.lock ACTIVE 0690086 03300B0 00000008506F4480 0 0001
(0)> exit

In above example, the process is rpc.lockd.

You can also convert the hex PID to decimal:
0x690086 => 6881414 dec

# ps -ef | grep 6881414
root 6881414 3342512 0 Jun 28 - 0:00 /usr/sbin/rpc.lockd -d 0

Note: If the port is UDP, use "inpcb" instead of "tcpcb" in above sockinfo command.

Note: Although rmsock displays the PID of the process using the socket, it is not meant to be used for this purpose. rmsock command tries to free the socket if it's not used by any process. Hence, IBM does not recommend using rmsock to get the PID of the process using the socket.

[{"Product":{"code":"SWG10","label":"AIX"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"}],"Version":"6.1;7.1","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

More support for:
AIX

Software version:
6.1, 7.1

Operating system(s):
AIX

Document number:
629395

Modified date:
17 June 2018

UID

isg3T1024096

Manage My Notification Subscriptions

Page Feedback