a life of coding

Friday, June 15, 2007

Open Network Sockets on Mac OS X

This is one of those things that constantly annoys me. On Linux, netstat tells me the list of currently active network connections, including (often most importantly) listening connections. Just knowing that something is running on port 8080 tips me off that I probably have an Apache or Java EJB process running (or maybe a swiki) - a trip to localhost:8080 will answer my question. But what if this port isn't an HTTP server, and doesn't speak when connected to? Now you have a dilemma - there's no way of knowing what has this port open.

Fortunately this is a solved problem on Linux. netstat has some options that tell you the PID of the process with the port open. From here you can use ps to find the name of the process, its path, the user who started it, etc. BTW, you need to run netstat as root to see other people's PID's and those of services.

Well, you know what comes next - netstat on the Mac doesn't show PID's! WTF! Speaking of commands that Mac OS X doesn't have, fuser is missing as well. fuser on Linux tells you which processes have a specific file open - very useful if you're cleaning up files and one has is locked. Well, Mac OS X (BSD really) doesn't have fuser... but it does have a command called lsof. lsof isn't quite as user friendly as fuser. It only has one mode, which is to list every open file that is visible to you (this is a subtle hint that you should run it as root to see more files). This means that fuser <filename> roughly translates to lsof | grep <filename>. Very useful for finding that stray service that has outlived its welcome and is holding files hostage.

Still, the problem at hand is finding the PID of network sockets. It turns out that in POSIX, network sockets are pretty much the same as files. This means that they show up in lsof if you ask nicely. And since lsof shows PID's (it even gets fancy and shows the process name), it turns out to be the solution. So, here's the money shot:

sudo lsof -i -P

This produces something that looks like:


COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
launchd 1 root 9u IPv4 0x01d96e10 0t0 UDP *:137
launchd 1 root 10u IPv4 0x020dbe8c 0t0 TCP *:139 (LISTEN)
launchd 1 root 11u IPv4 0x020dbb38 0t0 TCP *:445 (LISTEN)
launchd 1 root 12u IPv6 0x01d99c50 0t0 TCP *:22 (LISTEN)
launchd 1 root 13u IPv4 0x020db7e4 0t0 TCP *:22 (LISTEN)
mDNSRespo 43 root 7u IPv4 0x01d96ad0 0t0 UDP *:5353
mDNSRespo 43 root 8u IPv6 0x01d96a00 0t0 UDP *:5353
mDNSRespo 43 root 9u IPv4 0x03379d40 0t0 UDP *:5353
mDNSRespo 43 root 13u IPv4 0x03379860 0t0 UDP 192.168.1.100:53891
mDNSRespo 43 root 14u IPv4 0x032f82a4 0t0 TCP *:* (CLOSED)
mDNSRespo 43 root 15u IPv4 0x02edb554 0t0 TCP 192.168.1.100:5000 (LISTEN)
mDNSRespo 43 root 16u IPv4 0x020da098 0t0 TCP *:* (CLOSED)

... (lots more here)

If you don't have root access, you can still use lsof, but you won't see the plethora of system services and other users processes.

6 Comments:

  • wow, thank you so much for this post! i was looking for the exact same thing – trying to figure out why my computer was being connected to an IRC server despite me never actually explicitly connecting to it – and this post provided exactly what i was looking for – a way to determine which process was using a given network connection.

    thanks!

    By Blogger lensovet, At 10/29/07 9:35 PM  

  • Thanks for this post. I've been looking for this for awhile. I had thought maybe I just didn't know the correct way to use the Mac OS version of netstat.

    By Anonymous radostyle, At 11/30/07 5:01 PM  

  • Wonderful post. That is just what I needed!

    Thanks

    By Anonymous Anonymous, At 3/31/08 11:30 PM  

  • Yay, thanks for the info! This is finally the equivalent of the Linux "netstat -naptu" on MacOS X I've been searching!

    By Anonymous Gust, At 7/21/08 4:58 AM  

  • Yeah, BSD is a bit different. Took me weeks to find out that netstat -r prints the routes :)

    By Anonymous zagy, At 9/18/08 3:58 AM  

Post a Comment



<$I18N$LinksToThisPost>:

Create a Link

<< Home