What is my computer doing? pids, IP addresses, tcp, netstat, and lsof

This entry was posted in Technology and tagged , , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post.
Post a comment or leave a trackback: Trackback URL.

Today I was reviewing the active TCP connections on my Mac Book Pro to before testing some software I was working on.  I was sitting in the office and wanting to monitor traffic to the server at my house.  Checking netstat, I saw a connection I didn’t expect to see and I had a hard time clearly identifying what exactly it was.  As I was tracking it down, I figured the process might be of interest to others out there…

So the question is: Who is my computer connected to and what’s it sending them?

First I needed to know the IP address of my home internet connection.  The home web server is on a Comcast cable modem with DHCP that doesn’t change its IP address very often, but does every once in a while.  To get started I logged in to the home computer via my LogMeIn connection, opened up the web browser, and hit up http://www.whatsmyip.org to verify my IP address, looks like it’s 12.345.678.9 (no, that’s not actually my IP address, but I don’t want to post my real public IP for everyone to see)

Note: I actually use DynDNS to keep track of my home IP address, the whatsmyip.org method is just a little faster if you don’t already have Dynamic DNS running somewhere.

With my remote IP address in hand, I was ready to check out what connections were active.

Open up your Terminal application (Applications -> Utilitys -> Terminal.app) and run,

netstat -napt

Here is what returned:

[spanders@tim:~]$ netstat -napt
netstat: t: unknown or uninstrumented protocol

Oh right, that’s the Linux netstat syntax, it lists all active TCP connections, their process ID, and turns off DNS translations so just the IP address shows up

To get the same output in Mac OS I had to change the syntax a bit:

netstat -na -p tcp

The results this time where much better.  I needed to narrow the results down, 46 TCP connections where too many to scan through.

netstat -na -p tcp | grep 12.345.678.9

Running this command which only outputs connections that contain the IP address I specified, I expected to see an empty result, because I wasn’t aware of any active connections to my home network. However, this is what I saw:

tcp4       0      0  10.1.1.110.50994       12.345.678.9.4242        ESTABLISHED

The destination port was a little suspicious to me, 4242.  I had no idea what the connection was.  I also noticed something else, no process ID was listed.  I forgot about that too.  I’m so used to the Linux version of netstat including PID information, I forget that Mac OS doesn’t include PID.

So how to I find the PID of a TCP connection on a Mac?  Here we turn to lsof.  Note, lsof requires root permission, so we’ll be running the commend with sudo

sudo lsof -i -Pn

-i limits the results to files with Internet connections active
-Pn turns off reverse port and IP address translation which just speeds the results up a bit

Now we’re getting somewhere, expect the list of files returned is still large, 145, and I don’t like to look through so many lines, so let’s get grep involved again to help filter the results

sudo lsof -i -Pn | grep 12.345.678.9

And the one line I was looking for was displayed

java       6756           root   70u  IPv4  0x8c3ce64      0t0    TCP 10.1.1.110:50994->12.345.678.9:4242 (ESTABLISHED)

Okay, process ID 6756, good, that’s the info I was looking for.  However, I saw the process name was java.  Great, that could be anything.  Why in the world was a java process started by root connected to my home computer network?  We go back to lsof to find the answer.  (That sentence makes me think I’ve been watching too much History channel lately)

sudo lsof -p 6756

-p the lower case p limits results to open files in use by process ID 6756.

With a 122 lines returned I saw there was plenty of activity, fortunately, I quickly saw exactly what was going on.

java    6756 root   51u     REG       14,2        44   5116740 /Library/Caches/CrashPlan/cpft366842740763787782x

There were many lines output similar to this one, so I don’t need to include the whole output here, the point is, the line segment /Library/Caches/CrashPlan, tells me that CrashPlan had created the connection.  Okay, I’m cool with that.  I hope you found this useful.  Send me a message on Twitter @spanders if you have any questions.  Back to my original software testing…

Notes:

A quick editorial on CrashPlan, its very slick backup software, especially for those of you that have multiple computers in different locations.  The basic concept is, you backup for your office and your office backs up to your house.  Make sure you at least check out the link.

netstat and lsof are great utilities to get familiar with.  If your computer is running slow or you want to check connections on your web server, they should come to mind right away.  One of my favorites on a Linux web server will list all established connections to your web server (assuming you’re running Apache)

netstat -atp | grep httpd | grep ESTABLISHED

This will count all the established connections to your web server and output the value

netstat -atp | grep httpd | grep ESTABLISHED | wc -l

Here is a great post of netstat commands to try out if you’re looking for some additional reading.

http://www.mydigitallife.info/2007/12/13/how-to-find-and-check-number-of-connections-to-a-server


Be Sociable, Share!