On Linux, is there a way to figure out what process was using a port, before it went into TIME_WAIT state.
When I use netstat -tnp I just see two end points, but no process information.
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:38805 127.0.0.1:111 TIME_WAIT - No, the system just doesn't keep track of this.
TCPView shows quite clearly that closed sockets which fall in the TIME_WAIT state are instantly re-assigned to process 0 (System).
Sorry, I misread your question; the above answer refers to Windows systems.
However, I think the same happens on Linux systems, too.
In my case, tracing socket opens greatly helps me to spot TIME_WAIT states (since typically means that my application is repeatedly creating sockets)
Based on how i can identify which process is making UDP traffic on linux? , I tried auditcl. "-S socket" does not work in my ubuntu, but the code below (optionally adding -F pid=pgrep -x yourApplication ) is quite good spotting socket creations
auditctl -a exit,always -S socketcall -F uid=$USER -F a0=1 -F a3=1 -k OPEN_SOCKETS 
