Active Network Connections & Listening Ports

linuxMemory & Live StateMemory Dump

Location

/proc/net/tcp, /proc/net/tcp6, /proc/net/udp (or ss/netstat output)

Description

Live network socket state from the kernel including all established TCP connections, listening ports, UDP sockets, and UNIX domain sockets with owning process information.

Forensic Value

Enumerating active connections during live triage identifies active C2 channels, reverse shells, and unauthorized listeners. Correlating listening ports with their owning processes (via ss -tlnp or lsof -i) exposes backdoor services running on non-standard ports. Unexpected outbound connections to foreign IP addresses on ports 443, 8443, or 8080 warrant immediate investigation for beaconing behavior.

Tools Required

ssnetstatlsof -icat /proc/net/tcp

Related Blockers