Return to Answer

2017 Edit: There are more options now as seen at Who's got the other end of this unix socketpair?. With Linux 3.3 or above and with lsof 4.89 or above, you can replace points 3 to 5 above with:

lsof +E -a -p 1237 -d 31

to find out who's at the other end of the socket on fd 31 of the X-server process with ID 1237.

0. Find the PID of your X-server:

    $ ps ax | grep X
     1237 tty1     Ssl+  11:36 /usr/bin/X :0 vt1 -nr -nolisten tcp -auth /var/run/kdm/A:0-h6syCa
   

1. Window id is 0x1600045, so client base is 0x1600000. Attach to X-server and find client socket descriptor for that client base. You'll need debug information installed for X-server (-debuginfo package for rpm-distributions or -dbg package for deb's).

    $ sudo gdb
    (gdb) define findclient
    Type commands for definition of "findclient".
    End with a line saying just "end".
    >  set $ii = 0
    >  while ($ii < currentMaxClients)
     >   if (clients[$ii] != 0 && clients[$ii]->clientAsMask == $arg0 && clients[$ii]->osPrivate != 0)
      >     print ((OsCommPtr)(clients[$ii]->osPrivate))->fd
      >     end
     >   set $ii = $ii + 1
     >   end
    >  end
    (gdb) attach 1237
    (gdb) findclient 0x1600000
    $1 = 31
    (gdb) detach
    (gdb) quit
   

2. Now you know that client is connected to a server socket 31. Use lsof to find what that socket is:

    $ sudo lsof -n | grep 1237 | grep 31
    X        1237    root   31u   unix 0xffff810008339340       8512422 socket
   

   (here "X" is the process name, "1237" is its pid, "root" is the user it's running from, "31u" is a socket descriptor)

   There you may see that the client is connected over TCP, then you can go to the machine it's connected from and check netstat -nap there to find the process. But most probably you'll see a unix socket there, as shown above, which means it's a local client.

3. To find a pair for that unix socket you can use the MvG's technique (you'll also need debug information for your kernel installed):

    $ sudo gdb -c /proc/kcore
    (gdb) print ((struct unix_sock*)0xffff810008339340)->peer
    $1 = (struct sock *) 0xffff810008339600
    (gdb) quit
   

4. Now that you know client socket, use lsof to find PID holding it:

    $ sudo lsof -n | grep 0xffff810008339600
    firefox  7725  username  146u   unix 0xffff810008339600       8512421 socket
   

0. Find the PID of your X-server:

    $ ps ax | grep X
     1237 tty1     Ssl+  11:36 /usr/bin/X :0 vt1 -nr -nolisten tcp -auth /var/run/kdm/A:0-h6syCa
   

1. Window id is 0x1600045, so client base is 0x1600000. Attach to X-server and find client socket descriptor for that client base. You'll need debug information installed for X-server (-debuginfo package for rpm-distributions or -dbg package for deb's).

    $ sudo gdb
    (gdb) define findclient
    Type commands for definition of "findclient".
    End with a line saying just "end".
    >  set $ii = 0
    >  while ($ii < currentMaxClients)
     >   if (clients[$ii] != 0 && clients[$ii]->clientAsMask == $arg0 && clients[$ii]->osPrivate != 0)
      >     print ((OsCommPtr)(clients[$ii]->osPrivate))->fd
      >     end
     >   set $ii = $ii + 1
     >   end
    >  end
    (gdb) attach 1237
    (gdb) findclient 0x1600000
    $1 = 31
    (gdb) detach
    (gdb) quit
   

2. Now you know that client is connected to a server socket 31. Use lsof to find what that socket is:

    $ sudo lsof -n | grep 1237 | grep 31
    X        1237    root   31u   unix 0xffff810008339340       8512422 socket
   

   (here "X" is the process name, "1237" is its pid, "root" is the user it's running from, "31u" is a socket descriptor)

   There you may see that the client is connected over TCP, then you can go to the machine it's connected from and check netstat -nap there to find the process. But most probably you'll see a unix socket there, as shown above, which means it's a local client.

3. To find a pair for that unix socket you can use the MvG's technique (you'll also need debug information for your kernel installed):

    $ sudo gdb -c /proc/kcore
    (gdb) print ((struct unix_sock*)0xffff810008339340)->peer
    $1 = (struct sock *) 0xffff810008339600
    (gdb) quit
   

4. Now that you know client socket, use lsof to find PID holding it:

    $ sudo lsof -n | grep 0xffff810008339600
    firefox  7725  username  146u   unix 0xffff810008339600       8512421 socket
   

and see what process have just died. Of course if you don't mind it to die.

and see which process just died. But only if you don't mind killing it of course!