What is my computer doing? pids, IP addresses, tcp, netstat, and lsof
Post a comment or leave a trackback: Trackback URL.
Today I was reviewing the active TCP connections on my Mac Book Pro to before testing some software I was working on. I was sitting in the office and wanting to monitor traffic to the server at my house. Checking netstat, I saw a connection I didn’t expect to see and I had a hard time clearly identifying what exactly it was. As I was tracking it down, I figured the process might be of interest to others out there…
So the question is: Who is my computer connected to and what’s it sending them?
First I needed to know the IP address of my home internet connection. The home web server is on a Comcast cable modem with DHCP that doesn’t change its IP address very often, but does every once in a while. To get started I logged in to the home computer via my LogMeIn connection, opened up the web browser, and hit up http://www.whatsmyip.org to verify my IP address, looks like it’s 12.345.678.9 (no, that’s not actually my IP address, but I don’t want to post my real public IP for everyone to see)
With my remote IP address in hand, I was ready to check out what connections were active.
Open up your Terminal application (Applications -> Utilitys -> Terminal.app) and run,
Here is what returned:
[spanders@tim:~]$ netstat -napt
netstat: t: unknown or uninstrumented protocol
Oh right, that’s the Linux netstat syntax, it lists all active TCP connections, their process ID, and turns off DNS translations so just the IP address shows up
To get the same output in Mac OS I had to change the syntax a bit:
netstat -na -p tcp
The results this time where much better. I needed to narrow the results down, 46 TCP connections where too many to scan through.
netstat -na -p tcp | grep 12.345.678.9
Running this command which only outputs connections that contain the IP address I specified, I expected to see an empty result, because I wasn’t aware of any active connections to my home network. However, this is what I saw:
tcp4 0 0 10.1.1.110.50994 12.345.678.9.4242 ESTABLISHED
The destination port was a little suspicious to me, 4242. I had no idea what the connection was. I also noticed something else, no process ID was listed. I forgot about that too. I’m so used to the Linux version of netstat including PID information, I forget that Mac OS doesn’t include PID.
sudo lsof -i -Pn
-i limits the results to files with Internet connections active
-Pn turns off reverse port and IP address translation which just speeds the results up a bit
Now we’re getting somewhere, expect the list of files returned is still large, 145, and I don’t like to look through so many lines, so let’s get grep involved again to help filter the results
sudo lsof -i -Pn | grep 12.345.678.9
And the one line I was looking for was displayed
java 6756 root 70u IPv4 0x8c3ce64 0t0 TCP 10.1.1.110:50994->12.345.678.9:4242 (ESTABLISHED)
Okay, process ID 6756, good, that’s the info I was looking for. However, I saw the process name was java. Great, that could be anything. Why in the world was a java process started by root connected to my home computer network? We go back to lsof to find the answer. (That sentence makes me think I’ve been watching too much History channel lately)
sudo lsof -p 6756
-p the lower case p limits results to open files in use by process ID 6756.
With a 122 lines returned I saw there was plenty of activity, fortunately, I quickly saw exactly what was going on.
java 6756 root 51u REG 14,2 44 5116740 /Library/Caches/CrashPlan/cpft366842740763787782x
There were many lines output similar to this one, so I don’t need to include the whole output here, the point is, the line segment /Library/Caches/CrashPlan, tells me that CrashPlan had created the connection. Okay, I’m cool with that. I hope you found this useful. Send me a message on Twitter @spanders if you have any questions. Back to my original software testing…
A quick editorial on CrashPlan, its very slick backup software, especially for those of you that have multiple computers in different locations. The basic concept is, you backup for your office and your office backs up to your house. Make sure you at least check out the link.
netstat and lsof are great utilities to get familiar with. If your computer is running slow or you want to check connections on your web server, they should come to mind right away. One of my favorites on a Linux web server will list all established connections to your web server (assuming you’re running Apache)
netstat -atp | grep httpd | grep ESTABLISHED
This will count all the established connections to your web server and output the value
netstat -atp | grep httpd | grep ESTABLISHED | wc -l
Here is a great post of netstat commands to try out if you’re looking for some additional reading.