Listing the ports in use on Linux

How do you tell which ports are in use on a Linux or Unix-like server? It comes up all the time — debugging which app is squatting on a port, sanity-checking that nothing unexpected is listening, or just confirming you can put Nginx on 80 without hitting an existing Apache. The two tools I reach for are lsof and ss (or its older sibling netstat).

1. lsof

bash

1lsof -i -P -n2lsof -i -P -n | grep LISTEN  # only listening sockets

Sample output:

bash

1❯ lsof -i -P -n | grep LISTEN2systemd-r   549 systemd-resolve   13u  IPv4   20972      0t0  TCP 127.0.0.53:53 (LISTEN)3nginx       739            root   11u  IPv4   24520      0t0  TCP *:80 (LISTEN)4nginx       739            root   12u  IPv6   24521      0t0  TCP *:80 (LISTEN)5nginx       739            root   13u  IPv4   24522      0t0  TCP *:22222 (LISTEN)6nginx       739            root   14u  IPv4   24523      0t0  TCP *:443 (LISTEN)7nginx       739            root   15u  IPv6   24524      0t0  TCP *:443 (LISTEN)8sshd       1065            root    3u  IPv4 1215778      0t0  TCP *:22 (LISTEN)9sshd       1065            root    4u  IPv6 1215780      0t0  TCP *:22 (LISTEN)10netdata    1122         netdata    5u  IPv4   28641      0t0  TCP *:19999 (LISTEN)11mariadbd  23070           mysql   24u  IPv6 1217922      0t0  TCP 127.0.0.1:3306 (LISTEN)12php-fpm7. 59769            root    7u  IPv4  808985      0t0  TCP 127.0.0.1:9174 (LISTEN)

Each line tells you the binary, the PID, the user, the protocol, and the address it's bound to. Reading one row:

bash

1COMMAND   PID    USER       FD   TYPE DEVICE                        ADDRESS2mariadbd  23070  mysql      24u  IPv6 1217922      0t0  TCP 127.0.0.1:3306 (LISTEN)

So MariaDB is listening on 127.0.0.1:3306 as the mysql user with PID 23070.

2. ss (or netstat)

netstat is deprecated on modern kernels — ss from iproute2 is the replacement and is faster on busy hosts.

bash

1ss -tulwn2ss -tulwn | grep LISTEN  # only listening sockets

If you're on an older box, netstat still works:

bash

1netstat -tulpn | grep LISTEN

Sample ss output:

bash

1❯ ss -tulp | grep LISTEN2tcp   LISTEN 0      511                         0.0.0.0:22222       0.0.0.0:*    users:(("nginx",pid=742,fd=13))3tcp   LISTEN 0      511                         0.0.0.0:http        0.0.0.0:*    users:(("nginx",pid=742,fd=11))4tcp   LISTEN 0      4096                  127.0.0.53%lo:domain      0.0.0.0:*    users:(("systemd-resolve",pid=549,fd=13))5tcp   LISTEN 0      32768                     127.0.0.1:9174        0.0.0.0:*    users:(("php-fpm7.4",pid=59769,fd=7))6tcp   LISTEN 0      511                         0.0.0.0:https       0.0.0.0:*    users:(("nginx",pid=742,fd=14))7tcp   LISTEN 0      128                         0.0.0.0:22          0.0.0.0:*    users:(("sshd",pid=1065,fd=3))8tcp   LISTEN 0      4096                        0.0.0.0:19999       0.0.0.0:*    users:(("netdata",pid=1122,fd=5))

The flags I use most:

bash

1-t  TCP only2-u  UDP only3-l  listening sockets only4-p  show the process name and PID using each socket5-n  numeric — don't resolve port names or IPs

ss -tulpn is the one-liner that lives in my muscle memory.