Macbook: Show which applications have ports open and to what IP address

Below is a dump of examples of doing pretty much the same thing differently. I mostly use netstat and lsof, coupled with some bash scripts.

You can argue that this is overkill, but below is a simple bash function that you can paste into terminal and call it whenever you want to see which application/process IDs have open ports:

macnst (){ netstat -Watnlv | grep LISTEN | awk '{"ps -o comm= -p " $9 | getline procname;colred="\033[01;31m";colclr="\033[0m"; print colred "proto: " colclr $1 colred " | addr.port: " colclr $4 colred " | pid: " colclr $9 colred " | name: " colclr procname; }' | column -t -s "|" }

## Example: 
proto: tcp46 addr.port: *.8770 pid: 1459 name: /usr/libexec/sharingd proto: tcp4 addr.port: 127.0.0.1.9000 pid: 787 name: /Applications/Zscaler/Zscaler.app/Contents/PlugIns/ZscalerTunnel proto: tcp4 addr.port: 100.64.0.1.9000 pid: 787 name: /Applications/Zscaler/Zscaler.app/Contents/PlugIns/ZscalerTunnel proto: tcp6 addr.port: *.56365 pid: 1080 name: /usr/libexec/rapportd proto: tcp4 addr.port: *.56365 pid: 1080 name: /usr/libexec/rapportd proto: tcp4 addr.port: 100.64.0.1.9010 pid: 787 name: /usr/libexec/rapportd proto: tcp6 addr.port: ::1.53 pid: 784 name: /opt/homebrew/opt/dnsmasq/sbin/dnsmasq proto: tcp6 addr.port: fe80::1%lo0.53 pid: 784 name: /opt/homebrew/opt/dnsmasq/sbin/dnsmasq proto: tcp6 addr.port: fe80::244b:70ff:fe0a:ffaa%anpi2.53 pid: 784 name: /opt/homebrew/opt/dnsmasq/sbin/dnsmasq proto: tcp6 addr.port: fe80::244b:70ff:fe0a:ffa8%anpi0.53 pid: 784 name: /opt/homebrew/opt/dnsmasq/sbin/dnsmasq proto: tcp6 addr.port: fe80::244b:70ff:fe0a:ffa9%anpi1.53 pid: 784 name: /opt/homebrew/opt/dnsmasq/sbin/dnsmasq proto: tcp6 addr.port: fe80::109d:a6ff:fed1:244c%awdl0.53 pid: 784 name: /opt/homebrew/opt/dnsmasq/sbin/dnsmasq proto: tcp6 addr.port: fe80::109d:a6ff:fed1:244c%llw0.53 pid: 784 name: /opt/homebrew/opt/dnsmasq/sbin/dnsmasq proto: tcp4 addr.port: 127.0.0.1.53 pid: 784 name: /opt/homebrew/opt/dnsmasq/sbin/dnsmasq

Below is an alternative to the above using netstat:

$ netstat -ap tcp | grep ESTABLISHED 
tcp4 0 0 192.168.123.227.57278 52.114.104.174.https ESTABLISHED tcp4 0 0 100.64.0.1.cslistener 52.114.104.174.57277 ESTABLISHED tcp4 0 0 100.64.0.1.57277 52.114.104.174.https ESTABLISHED tcp4 0 0 100.64.0.1.57275 13.89.179.10.https ESTABLISHED tcp4 0 0 100.64.0.1.57262 40.79.141.153.https ESTABLISHED tcp4 0 0 100.64.0.1.57258 52.97.201.226.https ESTABLISHED tcp4 0 0 192.168.123.227.57250 52.113.194.132.https ESTABLISHED tcp4 0 0 100.64.0.1.cslistener 52.113.194.132.57249 ESTABLISHED tcp4 0 0 100.64.0.1.57249 52.113.194.132.https ESTABLISHED tcp4 0 0 100.64.0.1.57240 193.0.160.129.https ESTABLISHED tcp4 0 0 100.64.0.1.57239 jnb02s11-in-f6.1.https ESTABLISHED tcp4 0 0 100.64.0.1.57238 944.bm-nginx-loa.https ESTABLISHED tcp4 0 0 100.64.0.1.57237 159.248.227.35.b.https ESTABLISHED tcp4 0 0 100.64.0.1.57236 ip98.ip-51-75-86.https ESTABLISHED tcp4 0 0 100.64.0.1.57235 185.94.180.126.https ESTABLISHED tcp4 0 0 100.64.0.1.57234 a-0001.a-msedge..https ESTABLISHED tcp4 0 0 100.64.0.1.57233 a-0001.a-msedge..https ESTABLISHED

If you want to find the processes listening on a specific port, use the following:

sudo lsof -nP -i4TCP:9000 | grep LISTEN
ZscalerTu 787 root   49u  IPv4 0xfa4872984902c87f      0t0  TCP 100.64.0.1:9000 (LISTEN)
ZscalerTu 787 root   64u  IPv4 0xfa48729849d9138f      0t0  TCP 127.0.0.1:9000 (LISTEN)
## Then you can kill the process using: sudo kill -9 <PID>
sudo kill 787

Following the theme of creating bash scripts for the sake of it, below is a simple listening script:

listening() {
    if [ $# -eq 0 ]; then
        sudo lsof -iTCP -sTCP:LISTEN -n -P
    elif [ $# -eq 1 ]; then
        sudo lsof -iTCP -sTCP:LISTEN -n -P | grep -i --color $1
    else
        echo "Usage: listening [pattern]"
    fi
}

## Example
% listening 9000
ZscalerTu 38629     root   13u  IPv4 0xfa48729848a2f4bf      0t0  TCP 100.64.0.1:9000 (LISTEN)
ZscalerTu 38629     root   14u  IPv4 0xfa48729849edffcf      0t0  TCP 127.0.0.1:9000 (LISTEN)

Next up, using lsof to view TCP sessions (-i4 : IPV4; -n : prevent conversion to host name):

sudo lsof -i4 -n -P | grep TCP | grep ESTABLISHED
identitys  1205       cp363412   37u  IPv6 0xfa487293786896c7      0t0    TCP [fe80:16::c79c:1b6f:a073:9eca]:1024->[fe80:16::e858:3f4a:1724:69c1]:1024 (ESTABLISHED)
identitys  1205       cp363412   38u  IPv6 0xfa4872937868cb47      0t0    TCP [fe80:16::c79c:1b6f:a073:9eca]:1025->[fe80:16::e858:3f4a:1724:69c1]:1026 (ESTABLISHED)
identitys  1205       cp363412   39u  IPv6 0xfa4872937868cb47      0t0    TCP [fe80:16::c79c:1b6f:a073:9eca]:1025->[fe80:16::e858:3f4a:1724:69c1]:1026 (ESTABLISHED)
Google     2149       cp363412   20u  IPv4 0xfa48729848bee74f      0t0    TCP 100.64.0.1:58416->172.217.170.10:443 (ESTABLISHED)
Google     2149       cp363412   26u  IPv4 0xfa48729848bfb25f      0t0    TCP 100.64.0.1:58600->216.58.223.132:443 (ESTABLISHED)
Google     2149       cp363412   30u  IPv4 0xfa48729848aa938f      0t0    TCP 100.64.0.1:58388->151.101.3.9:443 (ESTABLISHED)
Google     2149       cp363412   33u  IPv4 0xfa4872984590512f      0t0    TCP 100.64.0.1:58601->216.58.223.132:443 (ESTABLISHED)
Google     2149       cp363412   35u  IPv4 0xfa487298489734bf      0t0    TCP 100.64.0.1:58602->172.217.170.170:443 (ESTABLISHED)
Google     2149       cp363412   36u  IPv4 0xfa487298489cf25f      0t0    TCP 100.64.0.1:58470->13.244.140.33:443 (ESTABLISHED)
Google     2149       cp363412   41u  IPv4 0xfa487298458fde9f      0t0    TCP 100.64.0.1:58231->172.217.170.10:443 (ESTABLISHED)
Google     2149       cp363412   42u  IPv4 0xfa48729848b25e9f      0t0    TCP 100.64.0.1:58451->142.250.27.188:443 (ESTABLISHED)
Google     2149       cp363412   45u  IPv4 0xfa48729848a8fd6f      0t0    TCP 100.64.0.1:58452->142.250.27.188:443 (ESTABLISHED)
Google     2149       cp363412   47u  IPv4 0xfa48729848b19c3f      0t0    TCP 100.64.0.1:58473->172.217.170.99:443 (ESTABLISHED)
Google     2149       cp363412   57u  IPv4 0xfa48729849ee1c3f      0t0    TCP 100.64.0.1:57722->192.0.78.23:443 (ESTABLISHED)
Google     2149       cp363412   60u  IPv4 0xfa4872984908325f      0t0    TCP 100.64.0.1:57973->198.252.206.25:443 (ESTABLISHED)
WhatsApp   2225       cp363412   21u  IPv4 0xfa4872984590674f      0t0    TCP 192.168.123.227:58288->102.132.100.60:443 (ESTABLISHED)
UPMServic  2333           root  248u  IPv4 0xfa48729848b1325f      0t0    TCP 192.168.123.227:56364->147.161.204.128:443 (ESTABLISHED)
Microsoft 25966       cp363412   44u  IPv4 0xfa48729849d9dc3f      0t0    TCP 100.64.0.1:58615->52.112.238.155:443 (ESTABLISHED)
Microsoft 37667       cp363412   20u  IPv4 0xfa48729849ef9e9f      0t0    TCP 100.64.0.1:58566->52.113.194.132:443 (ESTABLISHED)
Microsoft 37667       cp363412   22u  IPv4 0xfa4872984901887f      0t0    TCP 100.64.0.1:58378->52.112.120.216:443 (ESTABLISHED)
Microsoft 37667       cp363412   23u  IPv4 0xfa487298489e34bf      0t0    TCP 100.64.0.1:58536->20.42.65.84:443 (ESTABLISHED)
Microsoft 37667       cp363412   24u  IPv4 0xfa4872984591487f      0t0    TCP 100.64.0.1:58613->52.112.238.155:443 (ESTABLISHED)
Microsoft 37667       cp363412   27u  IPv4 0xfa48729848bed12f      0t0    TCP 100.64.0.1:58549->52.114.228.1:443 (ESTABLISHED)
Microsoft 37678       cp363412   51u  IPv4 0xfa487298489ddc3f      0t0    TCP 192.168.123.227:56382->52.112.120.204:443 (ESTABLISHED)
Microsoft 37678       cp363412   59u  IPv4 0xfa4872984902912f      0t0    TCP 100.64.0.1:56147->52.114.224.23:443 (ESTABLISHED)
ZscalerTu 38629           root    8u  IPv4 0xfa48729848bde74f      0t0    TCP 100.64.0.1:9000->52.114.228.1:58549 (ESTABLISHED)
ZscalerTu 38629           root    9u  IPv4 0xfa48729849061c3f      0t0    TCP 192.168.123.227:58330->13.244.131.129:443 (ESTABLISHED)
ZscalerTu 38629           root   10u  IPv4 0xfa48729848a9de9f      0t0    TCP 192.168.123.227:58550->52.114.228.1:443 (ESTABLISHED)
ZscalerTu 38629           root   16u  IPv4 0xfa48729849eea74f      0t0    TCP 100.64.0.1:9000->52.113.194.132:58566 (ESTABLISHED)
ZscalerTu 38629           root   17u  IPv4 0xfa4872984904f25f      0t0    TCP 192.168.123.227:58567->52.113.194.132:443 (ESTABLISHED)
ZscalerTu 38629           root   20u  IPv4 0xfa487298489e725f      0t0    TCP 100.64.0.1:9000->52.112.238.155:58613 (ESTABLISHED)

For analysing what is listening to a port lsof also gives you a short history of the state of the connection:

sudo lsof -i tcp:9000
COMMAND     PID USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
ZscalerTu 53971 root   13u  IPv4 0xfa4872984902f4bf      0t0  TCP 100.64.0.1:cslistener (LISTEN)
ZscalerTu 53971 root   14u  IPv4 0xfa48729848bdf25f      0t0  TCP localhost:cslistener (LISTEN)
ZscalerTu 53971 root   18u  IPv4 0xfa487298489f112f      0t0  TCP 100.64.0.1:cslistener->147.161.204.128:63038 (ESTABLISHED)
ZscalerTu 53971 root   19u  IPv4 0xfa487298489f69af      0t0  TCP 100.64.0.1:cslistener->147.161.204.128:63036 (CLOSE_WAIT)
ZscalerTu 53971 root   24u  IPv4 0xfa4872984897674f      0t0  TCP 100.64.0.1:cslistener->a23-2-112-62.deploy.static.akamaitechnologies.com:63040 (ESTABLISHED)
ZscalerTu 53971 root   28u  IPv4 0xfa487298489d138f      0t0  TCP localhost:63045->localhost:cslistener (CLOSE_WAIT)
ZscalerTu 53971 root   29u  IPv4 0xfa4872984900912f      0t0  TCP localhost:cslistener->localhost:63045 (FIN_WAIT_2)

Above you can see port 9000 (the zscaler port); after I have restarted zscaler. It shows the state transitions of the port.