Several problems of using netstat and lsof under MacOS

[-= blog directory=-]

• 1-Related instructions
  • 1.1-Blog Introduction
  • 1.2-netstat和lsof
• 2- The learning process
  • 2.1-netstat
  • 2.2-lsof
  • 2.3-netstat and lsof difference and association
• 3- Information

1-Related instructions

1.1-Blog Introduction

This blog mainly introduces the use of netstat and lsof and their functions in the Mac environment.

1.2-netstat和lsof

Netstat

Netstat command is used to display various network related information, such as network connection, routing table, interface status (Interface Statistics), masquerade connection, multicast membership (Multicast Memberships) and so on.

lsof

lsof (list open files) is a tool that lists open files on the current system. Enter lsof under the terminal to display the files opened by the system. Because lsof needs to access the core memory and various files, it must be run as the root user to fully exert its functions.

Back to Contents

2- The learning process

2.1-netstat

When we run the common command netstat -a, the following information will appear:

Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)    
tcp4       0      0  localhost.53617        tg-in-f138.1e100.https SYN_SENT   
tcp4       0      0  localhost.53616        tg-in-f138.1e100.https SYN_SENT   
tcp4       0      0  localhost.53615        tg-in-f101.1e100.https SYN_SENT   

It can be seen that netstat is used to display the network status of our machine. The following describes how to print out the results we want through parameters:
First, let's introduce each parameter:
-a (all) Display all options, the default does not display LISTEN
related- n Refuse to display aliases, can display all the numbers into numbers.
-b show the number of bytes in and out
-s Statistics according to each protocol
-w wait(s) Display
more detailed information every certain number of seconds, refer to man netstat, not listed here (mainly too troublesome , too lazy to write)
Tip: You must add -a to the status of LISTEN and LISTENING to see the
tip: Mac and Linux instructions are different, remember not to use Linux instructions in Mac

For example:
list all tcp/udp ports netstat -f address_family, this is more commonly used, we usually need to access the Internet through these two ports:

Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)    
tcp4       0      0  172.30.3.1.56841       ti-in-f102.1e100.https SYN_SENT   
tcp4       0      0  172.30.3.1.56840       ti-in-f102.1e100.https SYN_SENT   
tcp4       0      0  172.30.3.1.56839       hkg07s24-in-f10..https SYN_SENT   
tcp4       0      0  172.30.3.1.56838       ti-in-f113.1e100.https SYN_SENT   
udp4       0      0  *.65444                *.*                               
udp4       0      0  *.52623                *.*                               
udp4       0      0  *.59390                *.*                               
udp4       0      0  *.63755                *.*      

How to enter the address_family after -f is written in man:

-f address_family
           Limit statistics or address control block reports to those of the specified address family.  The
           following address families are recognized: inet, for AF_INET, inet6, for AF_INET6 and unix, for
           AF_UNIX.

Here's a look at the status again:

• LISTEN: (Listening for a connection.) Listen for connection requests from remote TCP ports

• SYN-SENT: (Active; sent SYN. ​​Waiting for a matching connection request after having sent a connection request.) Send a connection request and wait for a matching connection request

• SYN-RECEIVED: (Sent and received SYN. ​​Waiting for a confirming connection request acknowledgment after having both received and sent connection requests.) After receiving and sending a connection request, wait for the other party to confirm the connection request

• ESTABLISHED: (Connection established.) represents an open connection

• FIN-WAIT-1: (Closed; sent FIN.) Waiting for a remote TCP connection interruption request, or an acknowledgment of a previous connection interruption request

• FIN-WAIT-2: (Closed; FIN is acknowledged; awaiting FIN.) Waiting for connection interruption request from remote TCP

• CLOSE-WAIT: (Received FIN; waiting to receive CLOSE.) Waiting for a connection interruption request from the local user

• CLOSING: (Closed; exchanged FIN; waiting for FIN.) Waiting for the confirmation of the connection interruption from the remote TCP

• LAST-ACK: (Received FIN and CLOSE; waiting for FIN ACK.) Waiting for the confirmation of the original connection interruption request sent to the remote TCP

• TIME-WAIT: (In 2 MSL (twice the maximum segment length) quiet wait after close. ) Wait enough time to ensure that the remote TCP receives an acknowledgment of the connection interruption request

• CLOSED: (Connection is closed.) There is no connection status

Back to Contents

2.2-lsof

If we execute the lsofcommand directly, the following information will be generated:

COMMAND     PID USER   FD      TYPE             DEVICE   SIZE/OFF       NODE NAME
……（略）
Atom      65310  mac   19u   KQUEUE                                          count=0, state=0xa
Atom      65310  mac   20   NPOLICY                                          
Atom      65310  mac   21      PIPE 0x929a75eee67536e9      16384            ->0x929a75eee67528a9
Atom      65310  mac   22      PIPE 0x929a75eee67528a9      16384            ->0x929a75eee67536e9
Atom      65310  mac   23      PIPE 0x929a75eee67527e9      16384            ->0x929a75eee6752669
Atom      65310  mac   24      PIPE 0x929a75eee6752669      16384            ->0x929a75eee67527e9
Atom      65310  mac   25      PIPE 0x929a75eee6753c29      16384            ->0x929a75eee6750fe9
Atom      65310  mac   26      PIPE 0x929a75eee6750fe9      16384            ->0x929a75eee6753c29
Atom      65310  mac   27u   KQUEUE                                          count=0, state=0x8

Here is a description of each field:

• COMMAND: the name of the process
• PID: Process identifier
• USER: process owner
• FD: file descriptor, the application identifies the file by the file descriptor. Such as cwd, txt, etc.
• TYPE: file type, such as DIR, REG, etc.
• DEVICE: Specifies the name of the disk
• SIZE: the size of the file
• NODE: inode (identification of the file on disk)
• NAME: The exact name of the open file

Several common operations

1. Use to lsof -i :[端口号]see what a port is running now:

   blackay-MacBook-Air:~ mac$ lsof -i:443
   COMMAND     PID USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
   node      24659  mac   38u  IPv4 0x929a75eee50611b1      0t0  TCP 172.30.3.1:60430->ec2-50-16-240-181.compute-1.amazonaws.com:https (ESTABLISHED)
   node      33752  mac   38u  IPv4 0x929a75eee74831b1      0t0  TCP 192.168.43.135:55147->ec2-50-17-234-140.compute-1.amazonaws.com:https (ESTABLISHED)
   node      40504  mac   23u  IPv4 0x929a75eeed976ef1      0t0  TCP 172.30.3.1:62175->ec2-50-19-252-69.compute-1.amazonaws.com:https (ESTABLISHED)
   node      40504  mac   36u  IPv4 0x929a75eee94fa851      0t0  TCP 172.30.3.1:62180->ec2-50-19-252-69.compute-1.amazonaws.com:https (ESTABLISHED)
   node      41729  mac   30u  IPv4 0x929a75eeead5eb11      0t0  TCP 192.168.43.135:64612->ec2-50-16-232-79.compute-1.amazonaws.com:https (ESTABLISHED)
   Google    48559  mac   19u  IPv4 0x929a75eee9c25b11      0t0  TCP 172.30.3.1:56594->ti-in-f100.1e100.net:https (SYN_SENT)
   Google    48559  mac   81u  IPv4 0x929a75eee9d87b11      0t0  TCP 172.30.3.1:56598->ti-in-f113.1e100.net:https (SYN_SENT)

2. Use sudo lsof -nP -iTCP -sTCP:LISTENa program to see which ports are occupied

   MacBook-Air:~ mac$ sudo lsof -nP -iTCP -sTCP:LISTEN
   COMMAND     PID USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
   QQMacMgrM   600  mac    3u  IPv4 0x929a75eee5126851      0t0  TCP 127.0.0.1:50154 (LISTEN)
   QQMacMgrM   600  mac   10u  IPv4 0x929a75eee5568851      0t0  TCP 127.0.0.1:30100 (LISTEN)
   QQMacMgrM   600  mac   32u  IPv4 0x929a75eee5568851      0t0  TCP 127.0.0.1:30100 (LISTEN)
   Adobe\x20   663  mac    8u  IPv4 0x929a75eee5799591      0t0  TCP 127.0.0.1:15292 (LISTEN)

3. Use to lsof -p [pid]search all files opened by a program and associated processes with open files

   MacBook-Air:~ mac$ lsof -p 59037
   COMMAND   PID USER   FD      TYPE             DEVICE   SIZE/OFF       NODE NAME
   QQ      59037  mac  cwd       DIR                1,4        384     915270 /Users/mac/Library/Containers/com.tencent.qq/Data
   QQ      59037  mac  txt       REG                1,4   39443376 8594340462 /Applications/QQ.app/Contents/MacOS/QQ
   QQ      59037  mac  txt       REG                1,4     585744 8594339489 /Applications/QQ.app/Contents/Frameworks/FTMiniNN.framework/Versions/A/FTMiniNN
   QQ      59037  mac  txt       RE

   PS: PID (Process Identification) refers to the process identification number in the operating system, that is, the process identifier. Every time a program is opened in the operating system, a process ID, or PID, is created. As long as a program is run, the system will automatically assign an ID. Temporarily unique: After the process dies, the number is reclaimed and possibly assigned to another new process.
   This PID will continue to be assigned to the currently running program as long as no other program is successfully run.
   If a program is successfully run, and then another program is run, the system will automatically assign another PID.

Back to Contents

2.3-netstat and lsof difference and association

Netstat has no permission control, lsof has permission control, only the user
losf can see the pid and user, and can find out which process occupies this port

Some people may think that these two seem to have similar functions? Think about it carefully and find that they are quite different, and even some functions are complementary, and they are invincible when used in combination. The main reason why I use lsof is that when I use netstat to query the network link status, it does not display the name of the program using the port and its related information, so we use lsof to make up for this defect.
How does it work? For example, I found a link through netstat that uses port 55147:

Proto Recv-Q Send-Q  Local Address          Foreign Address
tcp4       0      0  192.168.43.135.55147   50.17.234.140.443

Then I want to find the 55147 port, the program uses this port, then I can use the lsof command:

COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
node    24659  mac   38u  IPv4 0x929a75eee50611b1      0t0  TCP 172.30.3.1:60430->ec2-50-16-240-181.compute-1.amazonaws.com:https (ESTABLISHED)

Found this program, know its PID, I can even see what file it touched me: lsof -p [PID]

COMMAND   PID USER   FD      TYPE             DEVICE   SIZE/OFF       NODE NAME
node    24659  mac  cwd       DIR                1,4       1120          2 /
node    24659  mac  txt       REG                1,4   30482564 8597437279 /Applications/Atom.app/Contents/Resources/app/apm/bin/node
node    24659  mac  txt       REG                1,4    1112560 8597441970 /Applications/Atom.app/Contents/Resources/app/apm/node_modules/git-utils/build/Release/git.node

So the question is, what's the point of doing this... The meaning is that I originally wanted to analyze whether there is malicious code or program running on the computer through network monitoring. By using these two commands, I will accurately determine each suspicious All states of the link.

Back to Contents

3- References

More than 30+ blogs are referenced, here are some of the most important ones.

• mac os x check network port status
• PID
• --> [Bold emphasis] Detailed explanation of the use of the lsof command (original)
• lsof View the detailed explanation of the process number corresponding to the port
• View programs that are using ports
• The difference between netstat and lsof to see the port
• The use and difference of netstat lsof
• In other words, how to use netstat to check the Listen status under MAC OS
• Netstat Status Analysis
• netstat under mac
• Mac OS/Linux command to query network port usage

Back to Contents