How to Find the Inode of a Tcp Socket

How do I find the inode of a TCP socket?

The inode shown by ls and stat is for the symlink that points to the inode associated with the socket. Running ls -iLalh shows the right inode. Ditto for stat -L.

Herpa derp derp. I only figured this out when I was composing my question. ;_;

Finding a process ID given a socket and inode in Python 3

The following code accomplishes the original goal:

def find_pid(inode):

    # get a list of all files and directories in /proc
    procFiles = os.listdir("/proc/")

    # remove the pid of the current python process
    procFiles.remove(str(os.getpid()))

    # set up a list object to store valid pids
    pids = []

    for f in procFiles:
        try:
            # convert the filename to an integer and back, saving the result to a list
            integer = int(f)
            pids.append(str(integer))
        except ValueError:
            # if the filename doesn't convert to an integer, it's not a pid, and we don't care about it
            pass

    for pid in pids:
        # check the fd directory for socket information
        fds = os.listdir("/proc/%s/fd/" % pid)
        for fd in fds:
            # save the pid for sockets matching our inode
            if ('socket:[%d]' % inode) == os.readlink("/proc/%s/fd/%s" % (pid, fd)):
                return pid

How to find socket port by inode struct in Linux?

You can obtain the socket structure pointer from the struct file with the exported function sock_from_file.

It is then cast into a tcp_sock, which contains an inet_connection_sock which contains an inet_sock which contains a sock (not to be confused with socket) which contains sock_common. The two port numbers are ultimately stored in inet_sock and sock_common (well, that's how it works in a recent kernel version anyway).

Making use of these facts in a reliable way would be difficult. The layout and organization of all this is closely dependent on kernel version, and of course that the file descriptor actually represents a connected TCP socket.

Is it possible to find which user is at the other end of a localhost TCP connection?

On Linux, /proc/net/tcp contains information on the open TCP sockets on the system. For a connected socket, the entries look like this (the header is part of the file, other lines removed):

  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode                                                     

  11: 0100007F:C9CB 0100007F:0016 01 00000000:00000000 00:00000000 00000000  1000        0 978132 ...

The second and third columns have the endpoints of the socket, and the uid column has the effective UID of the process what created the socket.
/proc/net/tcp6 is similar for IPv6. (The IP address there is 127.0.0.1, so the octets seem to be in reverse order.)

If you wanted to track the actual process(es) holding the socket, you'd need to go through all /proc/$PID/fd/$N entries, and compare the inode numbers in the socket symlinks to the inode number mentioned in the tcp socket table. But you can only see the file descriptors of your own processes, unless you're the superuser.

---

Related Topics