sockstat -l4
and netstat -an
, too.Some internet sources reference this as using the 5431 port:
https://en.wikipedia.org/wiki/Universal_Plug_and_Play
sockstat -l4
and if I see a port open I make a rule to block it with pf and work from there. net/avahi as an example uses UDP port 5353 as zeroconf so it gets blocked at pf. lsof |grep 5901
will show me:Xvnc 40988 root 1u IPv4 0xfffff80087a18820 0t0 TCP nas01.cdor.net:5901 (LISTEN)
ps -auxfwp 40988
(empahsis on the "p" will show me even more info:USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 40988 0.0 0.1 65188 10996 18 I Thu19 0:28.22 Xvnc :1 -interface 10.10.10.10 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xaut
sockstat -46
lsof |grep 5431
gnome-ses 8758 fernandel txt VREG 0,97 190965 42155431 /usr/local/lib/libdbus-glib-1.so.2.3.3
gnome-she 31858 fernndel txt VREG 0,97 190965 42155431 /usr/local/lib/libdbus-glib-1.so.2.3.3
tracker-m 44838 fernandel txt VREG 0,97 190965 42155431 /usr/local/lib/libdbus-glib-1.so.2.3.3
hald 53972 haldaemon txt VREG 0,97 190965 42155431 /usr/local/lib/libdbus-glib-1.so.2.3.3
hald-runn 54045 root txt VREG 0,97 190965 42155431 /usr/local/lib/libdbus-glib-1.so.2.3.3
goa-daemo 54666 fernandel txt VREG 0,97 190965 42155431 /usr/local/lib/libdbus-glib-1.so.2.3.3
mission-c 57253 fernandel txt VREG 0,97 190965 42155431 /usr/local/lib/libdbus-glib-1.so.2.3.3
python2.7 59443 fernandel txt VREG 0,97 190965 42155431 /usr/local/lib/libdbus-glib-1.so.2.3.3
I am runing GNOME 3 and I did runNo need for it, we have sockstat(1):sockstat -46
sockstat -46
and I got:root sendmail 97232 3 tcp4 127.0.0.1:25 *:*
root cupsd 30062 6 tcp6 ::1:631 *:*
root cupsd 30062 7 tcp4 127.0.0.1:631 *:*
_ntp ntpd 79463 7 udp4 192.168.1.2:34752 198.50.238.156:123
_ntp ntpd 79463 8 udp4 192.168.1.2:42334 198.58.110.84:123
_ntp ntpd 79463 9 udp4 192.168.1.2:24011 38.126.113.11:123
_ntp ntpd 79463 10 udp4 192.168.1.2:51415 216.187.142.202:123
? ? ? ? tcp4 192.168.1.2:60974 192.0.73.2:443
So my bet is on the latter: a socket which isn't associated with any file descriptor.If a socket is associated with more than one file descriptor, it is shown
multiple times. If a socket is not associated with any file descriptor,
the first four columns have no meaning.
lynx https://google.com
in one console gives me these results in the other:root syslogd 591 6 udp6 *:514 *:*
root syslogd 591 7 udp4 *:514 *:*
? ? ? ? tcp4 10.0.1.5:40728 209.85.203.94:443
? ? ? ? tcp4 172.16.0.150:52181 216.58.198.46:443
? ? ? ? tcp4 172.16.0.150:52182 216.58.205.132:443
? ? ? ? tcp4 172.16.0.150:52185 93.184.220.29:80
sockstat -4
.? ? ? ? tcp4 172.16.0.150:12346 216.58.198.46:443
? ? ? ? tcp4 172.16.0.150:12347 216.58.198.46:443
? ? ? ? tcp4 172.16.0.150:12348 216.58.205.35:443
? ? ? ? tcp4 172.16.0.150:12349 216.58.198.33:443
? ? ? ? tcp4 172.16.0.150:12350 216.58.198.46:443
? ? ? ? tcp4 172.16.0.150:12351 216.58.198.35:443
? ? ? ? tcp4 172.16.0.150:12352 216.58.198.35:443
? ? ? ? tcp4 172.16.0.150:12353 216.58.205.66:443
The question marks are normal. Here's a thread that talks about it:
https://forums.freebsd.org/threads/...tion-marks-when-trying-to-close-socket.46695/