[tlug] What is listening on port X?

[Kalin KOZHUHAROV <me.kalin@example.com>]

Hello,

I have been taking various deep dives in linux recently (day job is
incident response), and recently I found a challenge that no amount of
googling solved...

On a system I have the following:

# netstat -tunelp|head -n3
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address
State       User       Inode      PID/Program name
tcp        0      0 0.0.0.0:40636           0.0.0.0:*
LISTEN      0          77216      -

# rpcinfo -s
   program version(s) netid(s)                         service     owner
    100000  2,3,4     local,udp,tcp,udp6,tcp6          portmapper  superuser
    100024  1         tcp,udp                          status      superuser
    100021  4,3,1     tcp6,udp6,tcp,udp                nlockmgr    superuser

# rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  42017  status
    100024    1   tcp  45984  status
    100021    1   udp  33007  nlockmgr
    100021    3   udp  33007  nlockmgr
    100021    4   udp  33007  nlockmgr
    100021    1   tcp  45837  nlockmgr
    100021    3   tcp  45837  nlockmgr
    100021    4   tcp  45837  nlockmgr

The question is how to find what is LISTENing on 40636/tcp ?

The quick spoiler is "something related to NFS", since it disappears
when I unmount all nfs mounts.
However I am interested in more general ways to track such listening
connections (e.g. it could have been malware).

AFAIK, the inode given by netstat should be related to the /proc, but
I couldn't find anything in there by `find /proc -inum 77216` ...

Any pointers, or I am looking into kdebug land?

Regards,
Kalin.