Linux laptop showing a bash prompt
fatmawati achmad zaenuri/Shutterstock.com

To kill a Linux process you need its ID or its name. If all you know is the port it’s using, can you still kill it? Yes, in several different ways.

Killing Processes

Occasionally a Linux process can become unresponsive. It may stop operating correctly, or it might continue to work but ignore requests for it to shut down, or start gobbling memory, CPU, or network bandwidth.

Whatever your motives, there are ways to kill a process from the Linux command line. The classic method is to use the kill command with the process ID of the process you want to terminate. The kill command has some close relatives. The pkill command will kill a process by name, and killall will kill all processes it can find that share part of a name.

If all you know about a process is it is using a port on your computer, there are still ways to identify and kill it. In networking terms, “port” can mean a physical connection into which you insert a cable with a plug on the end, such as a CAT5 or 6 network lead, or it can mean a software port.

A software port is the final part of a network connection. The IP address of a device identifies the computer or other network appliance. The applications inside the computer use different ports. These provide another level of granularity. The network traffic has arrived at the correct computer using the IP address, and by using port addressing it can be delivered to the correct application.

It’s like postal mail arriving at a hotel, then being sorted and delivered to the appropriate rooms. The IP address is like the street address of the hotel, and the room numbers are like the port numbers.

If you see network activity on a port and you don’t recognize the process that is generating it, or its behavior is problematic or suspicious, you might want want to kill the process. Even if all you know is the port number, you can track down the process and kill it.

Creating Connections With socat

So that we have some connections to kill, we’ll use socat to create network connections using different protocols. You’ll need to install socat . To install it on Ubuntu, use this command:

sudo apt install socat

Installing socat on Ubuntu

On Fedora use dnf:

sudo dnf install socat

Installing socat on Fedora

On Manjaro you need to type:

sudo pacman -S socat

Installing socat on Manjaro

The syntax for socat is straightforward if a little long-winded. We need to provide the source and destination addresses. For each of these, we need to provide the protocol, IP address, and port number. We can substitute STDIN or STDOUT as a source or destination.

This command creates a connection between a TCP listening socket on port 7889, on the loopback IP address of 127.0.0.1, and STDOUT. The ampersand “&” runs the command in the background, so that we retain access to the command line.

socat tcp-listen:7889,bind=127.0.0.1 stdout &

Creating a listening TCP socket connection with socat

We’ll create two more connections so that we have a small selection of sockets using different protocols. We’ll create a UDP connection and an SCTP connection. The only part of the command that changes is the protocol.

socat udp-listen:7889,bind=127.0.0.1 stdout &
socat sctp-listen:9999,bind=127.0.0.1 stdout &

Creating listening UDP and SCTP socket connections with socat

RELATED: What's the Difference Between TCP and UDP?

Using Kill

Of course, we can use kill to terminate the process, just as long as we know what the ID of the process is. To find the PID, we can use the lsof command.

To list the details of the process on port 7889 that are using the TCP protocol, we use the -i (internet address) option, like this.

lsof -i tcp:7889

Using lsof to show the details of a process using a specific port and protocol

The PID of this process is 3141, and we can go ahead and use that with kill:

sudo kill 3141

We can save ourselves some effort if we use pipes. If we pipe the output of lsof into awk and tell awk to search for lines that contain the port we’re interested in—7889—and print the second field from that line, we’ll isolate the PID.

lsof -i tcp:7889 | awk '/7889/{print $2}'

Piping the output of lsof into awk

We can then pipe the output from awk into the kill command using xargs. The xargs command takes its piped input and passes it to another command as command line parameters. We’ll use xargs with the kill command.

lsof -i tcp:7889 | awk '/7889/{print $2}' | xargs kill

Using pipes to take the output of lsof into awk and from awk into xargs and kill

We don’t get any visual feedback. In the typical Linux way, no news is good news. If you want to check that the process has been terminated you can use lsof once more.

lsof -i tcp:7889

Using lsof to search for details of a process using a specific port and protocol without sucess

Because lsof doesn’t report anything, we know there’s no such connection.

We can remove a process using the UDP protocol simply by replacing “tcp” with “udp” in our earlier command.

lsof -i udp:7889 | awk '/7889/{print $2}' | xargs kill

Using pipes to take the output of lsof into awk and from awk into xargs and kill, for a UDP socket

However, lsof doesn’t recognize the SCTP protocol.

lsof -i sctp:7889

lsof does not work with the SCTP protocol

We can use the ss command to do that. We’re using the -S (SCTP) option to search for SCTP sockets, the -a (all) option to search for all types of sockets (listening, accepting, connected, etc.), and the -p (processes) option to list the details of the process using the socket.

ss -Sap

Printing the details of a process using an SCTP socket with ss

We can parse that output using grep and awk . We could also parse it using grep and some PERL regexes, but this way is much easier to understand. If you were going to use this more than once or twice you’d probably make an alias or shell function out of it.

We’ll pipe the output from ss into grep and search for our port number, 7889. We’ll pipe the output from grep into awk. In awk, we’re using the -F (separator string) option to set a comma  “,” as the field delimiter. We search for a string containing “pid=”, and print the second comma-delimited field from that string.

ss -Sap | grep "7889" | awk -F',' '/pid=/{print $2}'

Using pipes to connect ss, grep, and awk to extract the PID string

That has given us the string “pid=2859.”

We can pipe that into awk again, set the field delimiter to the equals sign “=” and print the second field from that string, which will be the text behind the equals sign.

ss -Sap | grep "7889" | awk -F',' '/pid=/{print $2}' | awk -F'=' '{print $2}'

Using pipes to connect ss, grep, and awk twice, to extract the PID

We’ve now isolated the process ID. We can use  xargs to pass the PID to kill as a command line parameter.

ss -Sap | grep "7889" | awk -F',' '/pid=/{print $2}' | awk -F'=' '{print $2}' | xargs kill

Using pipes with ss, grep, awk, and xargs to terminate an SCTP socket process

That kills the process that was using the SCTP protocol socket on port 7889.

The fuser Command

The fuser command simplifies things a great deal. The downside is, that it only works with TCP and UDP sockets. On the plus side, those are the two most common types of sockets you’ll need to deal with. The fuser command was already installed on the Ubuntu, Fedora, and Manjaro computers we checked.

All you need to do is use the -k (kill) option, and provide the port and protocol. You can either use the -n (namespace) option and provide the protocol and port, or use the “forward slash shortcut format” and put the port number first.

fuser -n tcp 7889
fuser 7889/udp

Using the fuser command to delete the processes using TCP and UDP sockets

The port number, protocol, and PID of the terminated process are printed in the terminal window.

Try fuser First

It’ll probably be installed on the computer you’re working on, and the protocol is likely to be TCP or UDP, so there’s a great chance the simplest way will work for you.

Profile Photo for Dave McKay Dave McKay
Dave McKay first used computers when punched paper tape was in vogue, and he has been programming ever since. After over 30 years in the IT industry, he is now a full-time technology journalist. During his career, he has worked as a freelance programmer, manager of an international software development team, an IT services project manager, and, most recently, as a Data Protection Officer. His writing has been published by  howtogeek.com, cloudsavvyit.com, itenterpriser.com, and opensource.com. Dave is a Linux evangelist and open source advocate.
Read Full Bio »