Published: Fri 08 January 2016
By pfigue
In python .
tags: python psutil netstat ports listening
Every now and then I have to run netstat -tlpn
on my machine and I discover some processes listening there, for everybody who wants to connect.
Sometimes it is an MySQL, sometimes an ElasticSearch. Nothing that I want to have there available for everybody.
I wanted to automate some solution to warn me when something new starts to listen there, so the first I though was about developing some wrapper around netstat
command with python, but accidentaly I discovered the psutil module .
So, here is a proof of concept for inet sockets (ip4 and ip6 ):
import psutil
import socket
rows = []
lc = psutil . net_connections ( 'inet' )
for c in lc :
( ip , port ) = c . laddr
if ip == '0.0.0.0' or ip == '::' :
if c . type == socket . SOCK_STREAM and c . status == psutil . CONN_LISTEN :
proto_s = 'tcp'
elif c . type == socket . SOCK_DGRAM :
proto_s = 'udp'
else :
continue
pid_s = str ( c . pid ) if c . pid else '(unknown)'
msg = 'PID {} is listening on port {}/{} for all IPs.'
msg = msg . format ( pid_s , port , proto_s )
print ( msg )
Which throws these results now on my machine:
PID 7162 is listening on port 5353/udp for all IPs.
PID 29784 is listening on port 7534/tcp for all IPs.
PID (unknown) is listening on port 68/udp for all IPs.
PID (unknown) is listening on port 631/udp for all IPs.
PID (unknown) is listening on port 30158/udp for all IPs.
PID (unknown) is listening on port 9200/tcp for all IPs.
PID (unknown) is listening on port 38047/udp for all IPs.
PID 13932 is listening on port 48854/tcp for all IPs.
It is using the psutil.net_connections
function.
This is accurate as long as the information source (I guess the kernel, but I don't know how is it implemented, if reading /proc/
data or what...) is trustable. If there is some rootkit providing false information, then it would be better to do some port scanning instead of reading this info.