Netstat implementation principle

Because recently took over the project is based on the embedded Linux OpenWrt, initially thought will be with the previous server development no big difference, but encountered the problem to analyze the time only found that the tool chain is still some difference, OpenWrt's netstat belongs to a toolset called BusyBox, which is specifically provided to the embedded Linux, and its parameters are simple, there is no Linux under the Netstat-p option, so when I want to see which processes are listening on which ports, It is found that only the listening ports are viewable, and there is no way to know which process it belongs to, and Lsof does not have the-i option.

But sometimes it's important to know which process is listening to a certain port, so I want to figure out how the netstat under Linux can see which process the listening port belongs to.

The first idea is to download BusyBox source code, but feel the code is too much, time consuming and laborious, so Brainwave think of another tool under Linux Strace (trace program call system call), through Strace to see what the Netstat do when the operation.

Intercept a section of the strace output, you can see that the call to open and Readlink traverse all the files in the/proc/3055/fd/directory, we all know that this directory is the process open file directory.

At the end of the strace output, you can see the call to open the/proc/net/udp file, and read the contents of it to parse the output, where all the UDP connection information is recorded, while/proc/net/tcp corresponding TCP connection,/proc/net/ UNIX corresponds to a UNIX socket connection.

According to the header of this file you can know that the second column is the local address, but because it is 16 binary encoding, so we need to manually convert to 10 binary.

In fact, it can be found that/proc/net/udp the information in this file does not contain process information, so this is why Netstat will first traverse all/PROC/XX/FD directories at the beginning, because Netstat can be/proc/net/through the Inode The lines in UDP are associated with the files in the/proc/xx/fd so that the process information for a row of UDP connections is available (because the inode is unique).

So, analysis here, I guess busybox in the netstat should not traverse all/proc/xx/fd this step, just read the/proc/net/udp file and parse the output.

Understand the principle of netstat, so even if the encounter does not provide netstat-p option Embedded Linux, we can manually analyze the information we want to solve the problem.