Network Daemons  «Prev  Next»

Lesson 5 Well-known port numbers and /etc/services
Objective Describe the conventions for establishing an association between certain port numbers and services.

Well-known Port Numbers and /etc/services

When a user opens a telnet connection from his or her machine to another machine, the client telnet process on the originating machine must find the server process on the remote machine. Thus, the client telnet process must know the port number of a telnet server process on the remote machine. Fortunately, the client process does not need to guess this port number. A set of conventions administered by the Internet Assigned Numbers Authority (IANA) establishes an association between certain port numbers and services. These assigned port numbers are called "well-known" port numbers. For example, the “well-known” port number for telnet is 23, so a telnet client can expect to find a telnet server at port 23 on the remote machine. The notion of well-known port numbers has nothing to do with UNIX; it is part of TCP/IP. A telnet client on a UNIX machine expects to find a telnet server at port 23 on the destination machine, regardless of what operating system is running on that machine. The file /etc/services is a list of conventional names for TCP/IP services and associated well-known port numbers:
View the image below to examine some well-known port numbers and /etc/services.
Network Services Internet Style
Unix /etc/services file
  1. Comment lines
  2. Service name
  3. Port number/protocol
  4. Aliases
  5. This line indicates that the telnet service uses TCP port 23.
  6. The domain service uses both TCP port 53 and UDP port 53. These are different ports.

Comment lines, Service name, Port number/protocol

Ad TCP/IP Illustration

Purpose of etc/services

/etc/services: On UNIX, the configuration file /etc/services maps port numbers to named services.
Key point: The purpose of etc/services is so that programs can do a getportbyname() sockets call in their code in order to get the port they should use. For example, a POP3 email daemon would do a getportbyname ("pop3") in order to retrieve the number 110 that pop3 runs at. The idea is that if all POP3 daemons use getportbyname(), then no matter what POP3 daemon you run, you can always reconfigure its port number by editing /etc/services.
If you want to find out what ports programs are using, you should instead use the program lsof to find out exactly which ports are bound to which processes. If running lsof is not appropriate, then you should lookup the ports in a more generic reference.
It is important to realize that the services file merely associates names (telnet, domain[1], FTP) with port numbers. (Just because a line appears in /etc/services does not mean that the corresponding service is available on the machine.) Nor is the
/etc/services file 

particularly informative about what the various services are, what is chargen, for example? (see below) The services file is a bit like the hosts file. Without it, you would have to refer to port numbers, but with it, you can refer to the telnet port. The system can look up telnet in the services file to find out it means port 23/tcp.

The Character Generator Protocol (CHARGEN) is a service of the Internet Protocol Suite defined in RFC 864 in 1983 by Jon Postel. It is intended for testing, debugging, and measurement purposes and the protocol is rarely used, as its design flaws allow ready misuse.

Use "lsof" to find out which ports are bound to Processes

Here's a breakdown of how to use `lsof` to discover port-to-process mappings on a network:
lsof Basics lsof: Stands for "List Open Files". It's a powerful command-line utility on Unix-like systems that displays information about files and network sockets open by various processes.
General Command Structure The basic syntax to find network connections and associated processes is:
lsof -i -P -n
  • -i: Selects open network files (i.e., sockets).
  • -P: Disables port number to name conversion (shows raw port numbers).
  • -n: Disables host name resolution (shows IP addresses).

  • `lsof`will gather and display information about open network sockets used by running processes.
  • The output will include columns like:
    • COMMAND: The name of the process.
    • PID: The Process ID.
    • USER: The username of the process owner.
    • FD: File descriptor
    • TYPE: The type of socket (IPv4, IPv6)
    • DEVICE: Network device
    • SIZE/OFF: Size or offset of the file
    • NODE: IP address and port number (e.g.,

Filtering for Specific Ports
To check for processes using a specific port (e.g., port 80):
lsof -i :80 

  • All network connections: `lsof -i -P -n`
  • Processes using TCP port 22 (SSH): `lsof -i tcp:22`
  • Processes using UDP port 53 (DNS): `lsof -i udp:53`

Important Note: You will likely need administrative privileges (sudo) to see the full range of open ports and their associations.

[1] Domain: On the Internet, "domain" is most commonly used to refer to a group of computers whose hostnames share a common suffix, the domain name. The last component of this is the top-level domain.

SEMrush Software5