Feb 11, 2010

Mac OS X : Open Ports, Network Connections, PIDs

Yesterday, my MacBook Pro was acting VERY strangely. I was hacked! (or so I thought) I feared that some evildoer hacked my home network and ran amuck.

Quickly, I had to figure out what was happening on my network. I wanted to know what ports were open, what connections were live and which applications were using those connections. Finding Linux info was easy. Mac OS X info? Not so much!

After hunting dozens of Google pages, here's what I've come up with:

Check All Network Connections
Run the following shell command to display all network connections:
netstat -an | grep 'LIS\|WAIT\|Recv-Q'

This will show all ESTABLISHED, LISTEN and TIME_WAIT connections and also displays the header for convenience.
Show Processes On Network
The command above is good but it doesn't show you WHO is on those ports. The following allows us to see the PID and Name of each process using the network!
sudo lsof -Pnl +M -i

Note: the first flag is -PNL (the last character is not a one). The first time I ran the lsof command, I couldn't see the ports that were listening. This was my main concern (evildoers love listening on ports). The key is to run this command as root (via sudo). Also note, with the netstat call, you can use egrep 'LIS|WAIT'. Honestly, I haven't gotten around to learning what egrep does. All I know is you don't have to escape the | symbol with egrep.

1 comment: