What is using this network socket?

networking process freebsd open-files

8,609

Solution 1

You can do

lsof -n | grep -i "TCP\|UDP" | grep -v "ESTABLISHED\|CLOSE_WAIT"

to see all of your listening ports, but dollars to donuts that ntpd is running:

service ntpd status

And as for "What does socket in use" mean? If I can be forgiven for smoothing over some wrinkles (and for the very basic explanation, apologies of most of this is remedial for you)...TCP/IP (the language of the internet) specifies that each computer has an IP address, which uniquely identifies that computer on the internet. In addition, there are 65,000 numbered ports on each IP address that can be connected to.

When you want to connect to a web server, you open the site in your browser, but the machinery underneath is actually connecting you to port 80 on the web server's IP. The web server's daemon (the program listening for connections to port 80) uses a "socket" to hold open that port, reserving it for itself. Only one program can use the same port at a time.

Since you had ntpd running, it was using that port. 'ntpdate' tried to access that port, but since it was already held open, you got the 'socket already in use' error.

Edit
Changed to account for UDP as well

Solution 2

You can also use netstat to look for open sockets--it's much cleaner than using lsof as the other posters have suggested. Try this command line as root

netstat -lp -u -t

to view all listening connections, including their associated pid's and programs. The -l parameter is what specifies listening connections, -p specifies that you want to see the PID/name and -t and -u tell netstat that you want only TCP and UDP connections (IPv4 and IPv6).

If you want to see numeric port and host names (ie. not resolved in the case of hosts, and not transformed to service names in the case of ports), you can add -n to the command line above.

EDIT: This works on Linux--I don't know how well it works on BSD, as I don't have any BSD-based boxes around.

Solution 3

On FreeBSD, you can also use sockstat in case lsof doesn't work for you (e.g. on virtualized systems that don't have /dev/mem for whatever reason). To get a list of all programs with listening IPv4 sockets:

sockstat -l4

Solution 4

You can use lsof to find which application is using this socket.

Solution 5

As root, do this:

lsof | grep IPv4 | grep LISTEN

This will show you all processes that are listening on IPv4 sockets. You may want to add -b to prevent lsof from doing some things that might block it. If you do that you'll probably also want to redirect stderr to /dev/null.

View more solutions

8,609

Mark Norgren

Updated on September 17, 2022

Comments

Mark Norgren over 1 year
I'm trying to use NTP to update the time on my machine. However, it gives me an error:
```
host # ntpdate ntp1.example.org
10 Aug 12:38:50 ntpdate[7696]: the NTP socket is in use, exiting
```
What does the error "socket is in use" mean? How can I see what is using this socket?

This happens on my CentOS 4.x system, but I also see it on FreeBSD 7.x, Ubuntu 10.04 and Solaris 10.
- Admin about 9 years
  
  In Stack Overflow: What processes are using which ports on unix? (2008-09-24)
geoffc almost 14 years

lsof rocks my world! grep on IPv4 as well to find various IP based things.
Mark Norgren almost 14 years

+1 : This is the only answer which actually shows the ntpd process (which listens on UDP by default).
Mark Norgren almost 14 years

For the humans: Your flags are equivalent to netstat --listen --programs --udp --tcp
Mark Norgren almost 14 years

FreeBSD does not support the '-p' ("Show Programs"), which is why people use LSOF. It also does not support the -l ("Show Listening Sockets") flags, but I think you can do that with | grep LISTEN, but that excludes the UDP connections. But otherwise, I think the equivalent flags on FreeBSD are: netstat -p udp -p tcp -a, but netstat -a might be simpler.
Mark Norgren almost 14 years

"apologies to everyone who already knew this" -- Don't apologize. One purpose of this site is to provide good answers to common questions. The purpose of this early beta is to provide content.
wegrata almost 14 years

@Stefan: My answer will show UDP sockets as well.
Mark Norgren almost 14 years

For me, this doesn't seem to show udp packets. I'm testing on an Ubuntu box which is running rsyslogd, listening on port 514/udp.
Mark Norgren almost 14 years

@kbyrd : Interesting. It doesn't show UDP packets for me. See my comment to your post.
Mark Norgren almost 14 years

I need to do sudo lsof |grep UDP to see UDP packets.
Matt Simmons almost 14 years

I know, but I wanted to make sure the person asking knew I wasn't trying to talk down to them.
Rimantas almost 14 years

@Stefan: That seems so...backwards. :-/ (Re: BSD netstat not supporting -p or -l)
Mark Norgren almost 14 years

@B : I agree. But I think the original BSD netstat didn't support the flags, therefore the current netstat doesn't introduce that change either. It's very *BSD!
Mark Norgren almost 14 years

I asked the question, and you weren't talking down to me. I also know the answer, but I figure it's a good question for the beta. And your answer was much better then anything I would write ;)
RobertL over 8 years

The ntpdate on Debian has the -u option, since it's from ntp.org, I imagine most systems have it.
three-blocks almost 7 years

@MattSimmons there is no Isof command in my CentOS 7.