This is a website by Willem van Zyl

I'm a project manager, software developer, Apple evangelist and geek from South Africa. I'm passionate about web and mobile application development, usability, productivity, physics, astronomy, science fiction and fantasy.

If you would like to contact me, message me on Twitter or send me an email.

How to check which processes are accessing the Internet on Mac OS X or a Linux machine

26 Oct 2010

The "lsof" command line tool can be used to list information about files opened by processes. By adding certain parameters, the tool will list IP Address / Host Name and Port details about all processes' open network files (connections):

lsof -i

The above command will show output like the following:

Willem-MacBook-Pro:~ willem$ lsof -i
COMMAND   PID   USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
SystemUIS 376 willem   10u  IPv4 0x3db2878      0t0  UDP *:*
Finder    377 willem   11u  IPv4 0x4e9a66c      0t0  TCP localhost:49171->localhost:26164 (ESTABLISHED)
Connect36 396 willem    4u  IPv4 0x3db26c8      0t0  UDP *:ssdp
Connect36 396 willem    5u  IPv4 0x3db46d8      0t0  UDP 192.168.1.102:9334->239.255.255.250:ssdp
Connect36 396 willem    6u  IPv4 0x4e9ae64      0t0  TCP *:9335 (LISTEN)
Dropbox   407 willem    7u  IPv4 0x5db9e64      0t0  TCP 192.168.0.48:49169->174.36.30.67-static.reverse.softlayer.com:https (CLOSE_WAIT)
Dropbox   407 willem   15u  IPv4 0x481366c      0t0  TCP 192.168.1.102:55607->174.36.30.66-static.reverse.softlayer.com:https (CLOSE_WAIT)
Dropbox   407 willem   18u  IPv4 0x4e9a270      0t0  TCP localhost:26164 (LISTEN)
Dropbox   407 willem   19u  IPv4 0x5db966c      0t0  TCP localhost:26164->localhost:49171 (ESTABLISHED)
Dropbox   407 willem   20u  IPv4 0xa470e64      0t0  TCP 192.168.0.48:52821->174.36.30.66-static.reverse.softlayer.com:https (CLOSED)
Dropbox   407 willem   21u  IPv4 0x42dea68      0t0  TCP 192.168.0.48:54833->ec2-174-129-27-165.compute-1.amazonaws.com:https (CLOSE_WAIT)
Dropbox   407 willem   24u  IPv4 0xb428270      0t0  TCP 192.168.1.102:54996->208.43.202.30-static.reverse.softlayer.com:http (ESTABLISHED)
Dropbox   407 willem   25u  IPv4 0x505ea68      0t0  TCP 192.168.1.102:55606->174.36.30.66-static.reverse.softlayer.com:https (CLOSE_WAIT)
firefox-b 554 willem   30u  IPv4 0xa498e64      0t0  TCP 192.168.1.102:55670->channel47-09-01-snc1.facebook.com:http (ESTABLISHED)
firefox-b 554 willem   40u  IPv4 0x5243a68      0t0  TCP 192.168.1.102:55668->wy-in-f100.1e100.net:http (ESTABLISHED)
firefox-b 554 willem   44u  IPv4 0xa45fa68      0t0  TCP 192.168.1.102:55669->74.125.100.100:http (ESTABLISHED)
firefox-b 554 willem   79u  IPv4 0xa462e64      0t0  TCP 192.168.0.48:50332->nwk-qtsoftware.apple.com:http (CLOSED)

In the above output the columns from left to right indicate the Process Name, Process ID, User that the process belongs to, Type of Connection, Device Address, Connection Node, and Connection Addresses / Host Names / Ports / Status.

To display the output with IP Addresses instead of Host Names, add the "-n" parameter: 

lsof -i -n

... resulting in:

Willem-MacBook-Pro:~ willem$ lsof -i -n
COMMAND   PID   USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
SystemUIS 376 willem   10u  IPv4 0x3db2878      0t0  UDP *:*
Finder    377 willem   11u  IPv4 0x4e9a66c      0t0  TCP 127.0.0.1:49171->127.0.0.1:26164 (ESTABLISHED)
Connect36 396 willem    4u  IPv4 0x3db26c8      0t0  UDP *:ssdp
Connect36 396 willem    5u  IPv4 0x3db46d8      0t0  UDP 192.168.1.102:9334->239.255.255.250:ssdp
Connect36 396 willem    6u  IPv4 0x4e9ae64      0t0  TCP *:9335 (LISTEN)
Dropbox   407 willem    7u  IPv4 0x5db9e64      0t0  TCP 192.168.0.48:49169->174.36.30.67:https (CLOSE_WAIT)
Dropbox   407 willem   15u  IPv4 0x481366c      0t0  TCP 192.168.1.102:55607->174.36.30.66:https (CLOSE_WAIT)
Dropbox   407 willem   18u  IPv4 0x4e9a270      0t0  TCP 127.0.0.1:26164 (LISTEN)
Dropbox   407 willem   19u  IPv4 0x5db966c      0t0  TCP 127.0.0.1:26164->127.0.0.1:49171 (ESTABLISHED)
Dropbox   407 willem   20u  IPv4 0xa470e64      0t0  TCP 192.168.0.48:52821->174.36.30.66:https (CLOSED)
Dropbox   407 willem   21u  IPv4 0x42dea68      0t0  TCP 192.168.0.48:54833->174.129.27.165:https (CLOSE_WAIT)
Dropbox   407 willem   24u  IPv4 0xb428270      0t0  TCP 192.168.1.102:54996->208.43.202.30:http (ESTABLISHED)
Dropbox   407 willem   25u  IPv4 0x505ea68      0t0  TCP 192.168.1.102:55606->174.36.30.66:https (CLOSE_WAIT)
firefox-b 554 willem   30u  IPv4 0xa49566c      0t0  TCP 192.168.1.102:55672->69.63.178.117:http (ESTABLISHED)
firefox-b 554 willem   40u  IPv4 0x5243a68      0t0  TCP 192.168.1.102:55668->209.85.227.100:http (ESTABLISHED)
firefox-b 554 willem   44u  IPv4 0xa45fa68      0t0  TCP 192.168.1.102:55673->74.125.100.100:http (ESTABLISHED)
firefox-b 554 willem   79u  IPv4 0xa462e64      0t0  TCP 192.168.0.48:50332->17.149.160.21:http (CLOSED)

To display the output with Port Addresses instead of Port Names, add the "-P" parameter:

lsof -i -n -P

... resulting in:

Willem-MacBook-Pro:~ willem$ lsof -i -n -P
COMMAND   PID   USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
SystemUIS 376 willem   10u  IPv4 0x3db2878      0t0  UDP *:*
Finder    377 willem   11u  IPv4 0x4e9a66c      0t0  TCP 127.0.0.1:49171->127.0.0.1:26164 (ESTABLISHED)
Connect36 396 willem    4u  IPv4 0x3db26c8      0t0  UDP *:1900
Connect36 396 willem    5u  IPv4 0x3db46d8      0t0  UDP 192.168.1.102:9334->239.255.255.250:1900
Connect36 396 willem    6u  IPv4 0x4e9ae64      0t0  TCP *:9335 (LISTEN)
Dropbox   407 willem    7u  IPv4 0x5db9e64      0t0  TCP 192.168.0.48:49169->174.36.30.67:443 (CLOSE_WAIT)
Dropbox   407 willem   15u  IPv4 0x481366c      0t0  TCP 192.168.1.102:55607->174.36.30.66:443 (CLOSE_WAIT)
Dropbox   407 willem   18u  IPv4 0x4e9a270      0t0  TCP 127.0.0.1:26164 (LISTEN)
Dropbox   407 willem   19u  IPv4 0x5db966c      0t0  TCP 127.0.0.1:26164->127.0.0.1:49171 (ESTABLISHED)
Dropbox   407 willem   20u  IPv4 0xa470e64      0t0  TCP 192.168.0.48:52821->174.36.30.66:443 (CLOSED)
Dropbox   407 willem   21u  IPv4 0x42dea68      0t0  TCP 192.168.0.48:54833->174.129.27.165:443 (CLOSE_WAIT)
Dropbox   407 willem   24u  IPv4 0xb428270      0t0  TCP 192.168.1.102:54996->208.43.202.30:80 (ESTABLISHED)
Dropbox   407 willem   25u  IPv4 0x505ea68      0t0  TCP 192.168.1.102:55606->174.36.30.66:443 (CLOSE_WAIT)
firefox-b 554 willem   30u  IPv4 0xa49566c      0t0  TCP 192.168.1.102:55672->69.63.178.117:80 (ESTABLISHED)
firefox-b 554 willem   40u  IPv4 0x5243a68      0t0  TCP 192.168.1.102:55668->209.85.227.100:80 (ESTABLISHED)
firefox-b 554 willem   44u  IPv4 0xa45fa68      0t0  TCP 192.168.1.102:55673->74.125.100.100:80 (ESTABLISHED)
firefox-b 554 willem   79u  IPv4 0xa462e64      0t0  TCP 192.168.0.48:50332->17.149.160.21:80 (CLOSED)

To display the above information for a specific application or process only, you can pipe the output into a grep statement:

lsof -i -n -P | grep firefox

... resulting in:

firefox-b 554 willem   30u  IPv4 0xa461a68      0t0  TCP 192.168.1.102:55660->69.63.178.117:80 (ESTABLISHED)
firefox-b 554 willem   40u  IPv4 0xa49566c      0t0  TCP 192.168.1.102:55655->69.63.187.12:80 (ESTABLISHED)
firefox-b 554 willem   79u  IPv4 0xa462e64      0t0  TCP 192.168.0.48:50332->17.149.160.21:80 (CLOSED)
Do you like this? Share it:

Copyright © Geekology 2011. All Rights Reserved.

Hosted by Code. Like. Clockwork.