[-= blog directory=-]
1-Related instructions
1.1-Blog Introduction
This blog mainly introduces the use of netstat and lsof and their functions in the Mac environment.
1.2-netstat和lsof
Netstat
Netstat command is used to display various network related information, such as network connection, routing table, interface status (Interface Statistics), masquerade connection, multicast membership (Multicast Memberships) and so on.
lsof
lsof (list open files) is a tool that lists open files on the current system. Enter lsof under the terminal to display the files opened by the system. Because lsof needs to access the core memory and various files, it must be run as the root user to fully exert its functions.
2- The learning process
2.1-netstat
When we run the common command netstat -a, the following information will appear:
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 localhost.53617 tg-in-f138.1e100.https SYN_SENT
tcp4 0 0 localhost.53616 tg-in-f138.1e100.https SYN_SENT
tcp4 0 0 localhost.53615 tg-in-f101.1e100.https SYN_SENT
It can be seen that netstat is used to display the network status of our machine. The following describes how to print out the results we want through parameters:
First, let's introduce each parameter:
-a (all) Display all options, the default does not display LISTEN
related- n Refuse to display aliases, can display all the numbers into numbers.
-b show the number of bytes in and out
-s Statistics according to each protocol
-w wait(s) Display
more detailed information every certain number of seconds, refer to man netstat, not listed here (mainly too troublesome , too lazy to write)
Tip: You must add -a to the status of LISTEN and LISTENING to see the
tip: Mac and Linux instructions are different, remember not to use Linux instructions in Mac
For example:
list all tcp/udp ports netstat -f address_family
, this is more commonly used, we usually need to access the Internet through these two ports:
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 172.30.3.1.56841 ti-in-f102.1e100.https SYN_SENT
tcp4 0 0 172.30.3.1.56840 ti-in-f102.1e100.https SYN_SENT
tcp4 0 0 172.30.3.1.56839 hkg07s24-in-f10..https SYN_SENT
tcp4 0 0 172.30.3.1.56838 ti-in-f113.1e100.https SYN_SENT
udp4 0 0 *.65444 *.*
udp4 0 0 *.52623 *.*
udp4 0 0 *.59390 *.*
udp4 0 0 *.63755 *.*
How to enter the address_family after -f is written in man:
-f address_family
Limit statistics or address control block reports to those of the specified address family. The
following address families are recognized: inet, for AF_INET, inet6, for AF_INET6 and unix, for
AF_UNIX.
Here's a look at the status again:
LISTEN: (Listening for a connection.) Listen for connection requests from remote TCP ports
SYN-SENT: (Active; sent SYN. Waiting for a matching connection request after having sent a connection request.) Send a connection request and wait for a matching connection request
SYN-RECEIVED: (Sent and received SYN. Waiting for a confirming connection request acknowledgment after having both received and sent connection requests.) After receiving and sending a connection request, wait for the other party to confirm the connection request
ESTABLISHED: (Connection established.) represents an open connection
FIN-WAIT-1: (Closed; sent FIN.) Waiting for a remote TCP connection interruption request, or an acknowledgment of a previous connection interruption request
FIN-WAIT-2: (Closed; FIN is acknowledged; awaiting FIN.) Waiting for connection interruption request from remote TCP
CLOSE-WAIT: (Received FIN; waiting to receive CLOSE.) Waiting for a connection interruption request from the local user
CLOSING: (Closed; exchanged FIN; waiting for FIN.) Waiting for the confirmation of the connection interruption from the remote TCP
LAST-ACK: (Received FIN and CLOSE; waiting for FIN ACK.) Waiting for the confirmation of the original connection interruption request sent to the remote TCP
TIME-WAIT: (In 2 MSL (twice the maximum segment length) quiet wait after close. ) Wait enough time to ensure that the remote TCP receives an acknowledgment of the connection interruption request
CLOSED: (Connection is closed.) There is no connection status
2.2-lsof
If we execute the lsof
command directly, the following information will be generated:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
……(略)
Atom 65310 mac 19u KQUEUE count=0, state=0xa
Atom 65310 mac 20 NPOLICY
Atom 65310 mac 21 PIPE 0x929a75eee67536e9 16384 ->0x929a75eee67528a9
Atom 65310 mac 22 PIPE 0x929a75eee67528a9 16384 ->0x929a75eee67536e9
Atom 65310 mac 23 PIPE 0x929a75eee67527e9 16384 ->0x929a75eee6752669
Atom 65310 mac 24 PIPE 0x929a75eee6752669 16384 ->0x929a75eee67527e9
Atom 65310 mac 25 PIPE 0x929a75eee6753c29 16384 ->0x929a75eee6750fe9
Atom 65310 mac 26 PIPE 0x929a75eee6750fe9 16384 ->0x929a75eee6753c29
Atom 65310 mac 27u KQUEUE count=0, state=0x8
Here is a description of each field:
- COMMAND: the name of the process
- PID: Process identifier
- USER: process owner
- FD: file descriptor, the application identifies the file by the file descriptor. Such as cwd, txt, etc.
- TYPE: file type, such as DIR, REG, etc.
- DEVICE: Specifies the name of the disk
- SIZE: the size of the file
- NODE: inode (identification of the file on disk)
- NAME: The exact name of the open file
Several common operations
Use to
lsof -i :[端口号]
see what a port is running now:blackay-MacBook-Air:~ mac$ lsof -i:443 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME node 24659 mac 38u IPv4 0x929a75eee50611b1 0t0 TCP 172.30.3.1:60430->ec2-50-16-240-181.compute-1.amazonaws.com:https (ESTABLISHED) node 33752 mac 38u IPv4 0x929a75eee74831b1 0t0 TCP 192.168.43.135:55147->ec2-50-17-234-140.compute-1.amazonaws.com:https (ESTABLISHED) node 40504 mac 23u IPv4 0x929a75eeed976ef1 0t0 TCP 172.30.3.1:62175->ec2-50-19-252-69.compute-1.amazonaws.com:https (ESTABLISHED) node 40504 mac 36u IPv4 0x929a75eee94fa851 0t0 TCP 172.30.3.1:62180->ec2-50-19-252-69.compute-1.amazonaws.com:https (ESTABLISHED) node 41729 mac 30u IPv4 0x929a75eeead5eb11 0t0 TCP 192.168.43.135:64612->ec2-50-16-232-79.compute-1.amazonaws.com:https (ESTABLISHED) Google 48559 mac 19u IPv4 0x929a75eee9c25b11 0t0 TCP 172.30.3.1:56594->ti-in-f100.1e100.net:https (SYN_SENT) Google 48559 mac 81u IPv4 0x929a75eee9d87b11 0t0 TCP 172.30.3.1:56598->ti-in-f113.1e100.net:https (SYN_SENT)
Use
sudo lsof -nP -iTCP -sTCP:LISTEN
a program to see which ports are occupiedMacBook-Air:~ mac$ sudo lsof -nP -iTCP -sTCP:LISTEN COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME QQMacMgrM 600 mac 3u IPv4 0x929a75eee5126851 0t0 TCP 127.0.0.1:50154 (LISTEN) QQMacMgrM 600 mac 10u IPv4 0x929a75eee5568851 0t0 TCP 127.0.0.1:30100 (LISTEN) QQMacMgrM 600 mac 32u IPv4 0x929a75eee5568851 0t0 TCP 127.0.0.1:30100 (LISTEN) Adobe\x20 663 mac 8u IPv4 0x929a75eee5799591 0t0 TCP 127.0.0.1:15292 (LISTEN)
Use to
lsof -p [pid]
search all files opened by a program and associated processes with open filesMacBook-Air:~ mac$ lsof -p 59037 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME QQ 59037 mac cwd DIR 1,4 384 915270 /Users/mac/Library/Containers/com.tencent.qq/Data QQ 59037 mac txt REG 1,4 39443376 8594340462 /Applications/QQ.app/Contents/MacOS/QQ QQ 59037 mac txt REG 1,4 585744 8594339489 /Applications/QQ.app/Contents/Frameworks/FTMiniNN.framework/Versions/A/FTMiniNN QQ 59037 mac txt RE
PS: PID (Process Identification) refers to the process identification number in the operating system, that is, the process identifier. Every time a program is opened in the operating system, a process ID, or PID, is created. As long as a program is run, the system will automatically assign an ID. Temporarily unique: After the process dies, the number is reclaimed and possibly assigned to another new process.
This PID will continue to be assigned to the currently running program as long as no other program is successfully run.
If a program is successfully run, and then another program is run, the system will automatically assign another PID.
2.3-netstat and lsof difference and association
Netstat has no permission control, lsof has permission control, only the user
losf can see the pid and user, and can find out which process occupies this port
Some people may think that these two seem to have similar functions? Think about it carefully and find that they are quite different, and even some functions are complementary, and they are invincible when used in combination. The main reason why I use lsof is that when I use netstat to query the network link status, it does not display the name of the program using the port and its related information, so we use lsof to make up for this defect.
How does it work? For example, I found a link through netstat that uses port 55147:
Proto Recv-Q Send-Q Local Address Foreign Address
tcp4 0 0 192.168.43.135.55147 50.17.234.140.443
Then I want to find the 55147 port, the program uses this port, then I can use the lsof command:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 24659 mac 38u IPv4 0x929a75eee50611b1 0t0 TCP 172.30.3.1:60430->ec2-50-16-240-181.compute-1.amazonaws.com:https (ESTABLISHED)
Found this program, know its PID, I can even see what file it touched me: lsof -p [PID]
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 24659 mac cwd DIR 1,4 1120 2 /
node 24659 mac txt REG 1,4 30482564 8597437279 /Applications/Atom.app/Contents/Resources/app/apm/bin/node
node 24659 mac txt REG 1,4 1112560 8597441970 /Applications/Atom.app/Contents/Resources/app/apm/node_modules/git-utils/build/Release/git.node
So the question is, what's the point of doing this... The meaning is that I originally wanted to analyze whether there is malicious code or program running on the computer through network monitoring. By using these two commands, I will accurately determine each suspicious All states of the link.
3- References
More than 30+ blogs are referenced, here are some of the most important ones.
- mac os x check network port status
- PID
- --> [Bold emphasis] Detailed explanation of the use of the lsof command (original)
- lsof View the detailed explanation of the process number corresponding to the port
- View programs that are using ports
- The difference between netstat and lsof to see the port
- The use and difference of netstat lsof
- In other words, how to use netstat to check the Listen status under MAC OS
- Netstat Status Analysis
- netstat under mac
- Mac OS/Linux command to query network port usage