The short answer is: You need to be root
in order to see all bindings.
A little bit longer:
The manpage of netstat gives a hint that is not necessary in all cases:
PID/Program name
Slash-separated pair of the process id (PID) and process name of the process that owns the socket. --program
causes this
column to be
included. You will also need superuser privileges to see this information on sockets you don't own.
So, as a normal user you only see which process listens to a port, if you own it:
$ netcat -l -p 1234 &
$ netstat -tulpn
[...]
tcp 0 0 0.0.0.0:1234 0.0.0.0:* LISTEN 8044/netcat
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
[...]
You see "your" netcat process, but not who is listening to e.g. port 22.
I have a feeling, that the reason for that is, that you can't acces /proc/[PID]/fd
for not-owned processes. There you find the file descriptors process [PID]
has currently opened and in Un*x (nearly) everything is a file... and so are sockets.
In my example sshd
, pid 3934, listens to port 22 (surprise-surprise):
$ whoami
user
$ ls -l /proc/3934/fd
/bin/ls: cannot open directory /proc/3934/fd: Permission denied
$ sudo ls -l /proc/3934/fd
total 0
lrwx------ 1 root root 64 Apr 24 16:33 0 -> /dev/null
lrwx------ 1 root root 64 Apr 24 16:33 1 -> /dev/null
lrwx------ 1 root root 64 Apr 24 16:33 2 -> /dev/null
lrwx------ 1 root root 64 Apr 24 16:33 3 -> socket:[10481]
lrwx------ 1 root root 64 Apr 24 16:33 4 -> socket:[10483]
(The second socket is bond to the IPv6 adress which I omitted in my netstat output.)
;)