netstat -ntap doesn't show pid/process name for some connections?

Question

I have ubuntu/hardy server, with kernel 2.6.24-23-server and netstat:

# netstat --version
net-tools 1.60
netstat 1.42 (2001-04-15)

The problem is that we have a lot of ESTABLISHED connections that don't show PID nor Program name in netstat -ntap output. Netstat was called from root, there are no chroots, grsecurity, nor anything like this (or so I was told :).

Any idea on what might be wrong?

UPDATE

lsof -n -i works ok, and shows pid/process name for the connections.

score 15 · Answer 1 · edited Apr 12 '17 at 07:30

198_141:~ # netstat  -anp|grep 33000
tcp        0      0 0.0.0.0:53000           0.0.0.0:*               LISTEN       -                   
198_141:~ # lsof -i:33000
COMMAND   PID USER   FD   TYPE     DEVICE SIZE NODE NAME
vsftpd  28147 root    3u  IPv4 4089990174       TCP *:33000 (LISTEN)
198_141:~ # id
uid=0(root) gid=100(users) groups=16(dialout),100(users)
198_141:~ #

in my oninion,there could be two situations:

1) normal privilege user excute "netstat" cann't see those processes launched by root

2) some processes run in kernel

mikemaccana · Answer 2 · 2024-09-24T02:52:03.267

This will occur with kernel processes like NFS, but also occasionally occurs with regular apps: RHEL 5 has the same behavior.

# netstat -taupen | grep 30715
tcp        0      0 0.0.0.0:30715           0.0.0.0:*               LISTEN      66558      81467710   -

Note that lsof, on the other hand, works properly in those cases:

# lsof -i:30715
AppName 1598 useracct   78u     IPv4           81467710                   TCP *:30715 (LISTEN)

zenkj · Answer 3 · 2018-06-21T01:05:53.267

Arrive here because these days I encounter the same question on ubuntu 18.04 LTS (netstat is the same version netstat 1.42 (2001-04-15)), strange still no answer after 8 years. After browsing the source code of net-tools, I may find it.

In the netstat source code:

all process folders in /proc are iterated, each fd in /proc//fd directory is checked to build a map from socket inode to pid/progname.
then /proc/net/tcp is checked to get tcp socket information(by the tcp_info function), including the socket inode.
when outputting the tcp socket information , the pid/progname is queried from the map in step 1 via the socket inode. if nothing is found, '-' outputs.

If the socket is created after the map is built, the pid/progname will not be found in the map.

score 2 · Answer 4 · answered Nov 17 '09 at 16:05

For established connections, this should only happen for connections that are initiated from kernel space, like NFS or DRBD. Obviously waiting connections could have had the process die underneath them. If you can't work out what is causing a given connection, paste the output and someone can tell you what it is.

score 1 · Answer 5 · answered Jun 07 '10 at 19:14

I have the same behaviour and my guess is that netstat behavior may have changed. For example I see the port and program for 'wget', but not for Apache PHP processes, which are the more important to me.

Workaround: I rewrote my script to use lsof instead (see hint above)

netstat -ntap doesn't show pid/process name for some connections?

5 Answers5