Below is a dump of examples of doing pretty much the same thing differently. I mostly use netstat and lsof, coupled with some bash scripts.
You can argue that this is overkill, but below is a simple bash function that you can paste into terminal and call it whenever you want to see which application/process IDs have open ports:
macnst (){ netstat -Watnlv | grep LISTEN | awk '{"ps -o comm= -p " $9 | getline procname;colred="\033[01;31m";colclr="\033[0m"; print colred "proto: " colclr $1 colred " | addr.port: " colclr $4 colred " | pid: " colclr $9 colred " | name: " colclr procname; }' | column -t -s "|" }
## Example:
proto: tcp46 addr.port: *.8770 pid: 1459 name: /usr/libexec/sharingd proto: tcp4 addr.port: 127.0.0.1.9000 pid: 787 name: /Applications/Zscaler/Zscaler.app/Contents/PlugIns/ZscalerTunnel proto: tcp4 addr.port: 100.64.0.1.9000 pid: 787 name: /Applications/Zscaler/Zscaler.app/Contents/PlugIns/ZscalerTunnel proto: tcp6 addr.port: *.56365 pid: 1080 name: /usr/libexec/rapportd proto: tcp4 addr.port: *.56365 pid: 1080 name: /usr/libexec/rapportd proto: tcp4 addr.port: 100.64.0.1.9010 pid: 787 name: /usr/libexec/rapportd proto: tcp6 addr.port: ::1.53 pid: 784 name: /opt/homebrew/opt/dnsmasq/sbin/dnsmasq proto: tcp6 addr.port: fe80::1%lo0.53 pid: 784 name: /opt/homebrew/opt/dnsmasq/sbin/dnsmasq proto: tcp6 addr.port: fe80::244b:70ff:fe0a:ffaa%anpi2.53 pid: 784 name: /opt/homebrew/opt/dnsmasq/sbin/dnsmasq proto: tcp6 addr.port: fe80::244b:70ff:fe0a:ffa8%anpi0.53 pid: 784 name: /opt/homebrew/opt/dnsmasq/sbin/dnsmasq proto: tcp6 addr.port: fe80::244b:70ff:fe0a:ffa9%anpi1.53 pid: 784 name: /opt/homebrew/opt/dnsmasq/sbin/dnsmasq proto: tcp6 addr.port: fe80::109d:a6ff:fed1:244c%awdl0.53 pid: 784 name: /opt/homebrew/opt/dnsmasq/sbin/dnsmasq proto: tcp6 addr.port: fe80::109d:a6ff:fed1:244c%llw0.53 pid: 784 name: /opt/homebrew/opt/dnsmasq/sbin/dnsmasq proto: tcp4 addr.port: 127.0.0.1.53 pid: 784 name: /opt/homebrew/opt/dnsmasq/sbin/dnsmasqBelow is an alternative to the above using netstat:
$ netstat -ap tcp | grep ESTABLISHED
tcp4 0 0 192.168.123.227.57278 52.114.104.174.https ESTABLISHED tcp4 0 0 100.64.0.1.cslistener 52.114.104.174.57277 ESTABLISHED tcp4 0 0 100.64.0.1.57277 52.114.104.174.https ESTABLISHED tcp4 0 0 100.64.0.1.57275 13.89.179.10.https ESTABLISHED tcp4 0 0 100.64.0.1.57262 40.79.141.153.https ESTABLISHED tcp4 0 0 100.64.0.1.57258 52.97.201.226.https ESTABLISHED tcp4 0 0 192.168.123.227.57250 52.113.194.132.https ESTABLISHED tcp4 0 0 100.64.0.1.cslistener 52.113.194.132.57249 ESTABLISHED tcp4 0 0 100.64.0.1.57249 52.113.194.132.https ESTABLISHED tcp4 0 0 100.64.0.1.57240 193.0.160.129.https ESTABLISHED tcp4 0 0 100.64.0.1.57239 jnb02s11-in-f6.1.https ESTABLISHED tcp4 0 0 100.64.0.1.57238 944.bm-nginx-loa.https ESTABLISHED tcp4 0 0 100.64.0.1.57237 159.248.227.35.b.https ESTABLISHED tcp4 0 0 100.64.0.1.57236 ip98.ip-51-75-86.https ESTABLISHED tcp4 0 0 100.64.0.1.57235 185.94.180.126.https ESTABLISHED tcp4 0 0 100.64.0.1.57234 a-0001.a-msedge..https ESTABLISHED tcp4 0 0 100.64.0.1.57233 a-0001.a-msedge..https ESTABLISHEDIf you want to find the processes listening on a specific port, use the following:
sudo lsof -nP -i4TCP:9000 | grep LISTEN
ZscalerTu 787 root 49u IPv4 0xfa4872984902c87f 0t0 TCP 100.64.0.1:9000 (LISTEN)
ZscalerTu 787 root 64u IPv4 0xfa48729849d9138f 0t0 TCP 127.0.0.1:9000 (LISTEN)
## Then you can kill the process using: sudo kill -9 <PID>
sudo kill 787Following the theme of creating bash scripts for the sake of it, below is a simple listening script:
listening() {
if [ $# -eq 0 ]; then
sudo lsof -iTCP -sTCP:LISTEN -n -P
elif [ $# -eq 1 ]; then
sudo lsof -iTCP -sTCP:LISTEN -n -P | grep -i --color $1
else
echo "Usage: listening [pattern]"
fi
}
## Example
% listening 9000
ZscalerTu 38629 root 13u IPv4 0xfa48729848a2f4bf 0t0 TCP 100.64.0.1:9000 (LISTEN)
ZscalerTu 38629 root 14u IPv4 0xfa48729849edffcf 0t0 TCP 127.0.0.1:9000 (LISTEN)Next up, using lsof to view TCP sessions (-i4 : IPV4; -n : prevent conversion to host name):
sudo lsof -i4 -n -P | grep TCP | grep ESTABLISHED
identitys 1205 cp363412 37u IPv6 0xfa487293786896c7 0t0 TCP [fe80:16::c79c:1b6f:a073:9eca]:1024->[fe80:16::e858:3f4a:1724:69c1]:1024 (ESTABLISHED)
identitys 1205 cp363412 38u IPv6 0xfa4872937868cb47 0t0 TCP [fe80:16::c79c:1b6f:a073:9eca]:1025->[fe80:16::e858:3f4a:1724:69c1]:1026 (ESTABLISHED)
identitys 1205 cp363412 39u IPv6 0xfa4872937868cb47 0t0 TCP [fe80:16::c79c:1b6f:a073:9eca]:1025->[fe80:16::e858:3f4a:1724:69c1]:1026 (ESTABLISHED)
Google 2149 cp363412 20u IPv4 0xfa48729848bee74f 0t0 TCP 100.64.0.1:58416->172.217.170.10:443 (ESTABLISHED)
Google 2149 cp363412 26u IPv4 0xfa48729848bfb25f 0t0 TCP 100.64.0.1:58600->216.58.223.132:443 (ESTABLISHED)
Google 2149 cp363412 30u IPv4 0xfa48729848aa938f 0t0 TCP 100.64.0.1:58388->151.101.3.9:443 (ESTABLISHED)
Google 2149 cp363412 33u IPv4 0xfa4872984590512f 0t0 TCP 100.64.0.1:58601->216.58.223.132:443 (ESTABLISHED)
Google 2149 cp363412 35u IPv4 0xfa487298489734bf 0t0 TCP 100.64.0.1:58602->172.217.170.170:443 (ESTABLISHED)
Google 2149 cp363412 36u IPv4 0xfa487298489cf25f 0t0 TCP 100.64.0.1:58470->13.244.140.33:443 (ESTABLISHED)
Google 2149 cp363412 41u IPv4 0xfa487298458fde9f 0t0 TCP 100.64.0.1:58231->172.217.170.10:443 (ESTABLISHED)
Google 2149 cp363412 42u IPv4 0xfa48729848b25e9f 0t0 TCP 100.64.0.1:58451->142.250.27.188:443 (ESTABLISHED)
Google 2149 cp363412 45u IPv4 0xfa48729848a8fd6f 0t0 TCP 100.64.0.1:58452->142.250.27.188:443 (ESTABLISHED)
Google 2149 cp363412 47u IPv4 0xfa48729848b19c3f 0t0 TCP 100.64.0.1:58473->172.217.170.99:443 (ESTABLISHED)
Google 2149 cp363412 57u IPv4 0xfa48729849ee1c3f 0t0 TCP 100.64.0.1:57722->192.0.78.23:443 (ESTABLISHED)
Google 2149 cp363412 60u IPv4 0xfa4872984908325f 0t0 TCP 100.64.0.1:57973->198.252.206.25:443 (ESTABLISHED)
WhatsApp 2225 cp363412 21u IPv4 0xfa4872984590674f 0t0 TCP 192.168.123.227:58288->102.132.100.60:443 (ESTABLISHED)
UPMServic 2333 root 248u IPv4 0xfa48729848b1325f 0t0 TCP 192.168.123.227:56364->147.161.204.128:443 (ESTABLISHED)
Microsoft 25966 cp363412 44u IPv4 0xfa48729849d9dc3f 0t0 TCP 100.64.0.1:58615->52.112.238.155:443 (ESTABLISHED)
Microsoft 37667 cp363412 20u IPv4 0xfa48729849ef9e9f 0t0 TCP 100.64.0.1:58566->52.113.194.132:443 (ESTABLISHED)
Microsoft 37667 cp363412 22u IPv4 0xfa4872984901887f 0t0 TCP 100.64.0.1:58378->52.112.120.216:443 (ESTABLISHED)
Microsoft 37667 cp363412 23u IPv4 0xfa487298489e34bf 0t0 TCP 100.64.0.1:58536->20.42.65.84:443 (ESTABLISHED)
Microsoft 37667 cp363412 24u IPv4 0xfa4872984591487f 0t0 TCP 100.64.0.1:58613->52.112.238.155:443 (ESTABLISHED)
Microsoft 37667 cp363412 27u IPv4 0xfa48729848bed12f 0t0 TCP 100.64.0.1:58549->52.114.228.1:443 (ESTABLISHED)
Microsoft 37678 cp363412 51u IPv4 0xfa487298489ddc3f 0t0 TCP 192.168.123.227:56382->52.112.120.204:443 (ESTABLISHED)
Microsoft 37678 cp363412 59u IPv4 0xfa4872984902912f 0t0 TCP 100.64.0.1:56147->52.114.224.23:443 (ESTABLISHED)
ZscalerTu 38629 root 8u IPv4 0xfa48729848bde74f 0t0 TCP 100.64.0.1:9000->52.114.228.1:58549 (ESTABLISHED)
ZscalerTu 38629 root 9u IPv4 0xfa48729849061c3f 0t0 TCP 192.168.123.227:58330->13.244.131.129:443 (ESTABLISHED)
ZscalerTu 38629 root 10u IPv4 0xfa48729848a9de9f 0t0 TCP 192.168.123.227:58550->52.114.228.1:443 (ESTABLISHED)
ZscalerTu 38629 root 16u IPv4 0xfa48729849eea74f 0t0 TCP 100.64.0.1:9000->52.113.194.132:58566 (ESTABLISHED)
ZscalerTu 38629 root 17u IPv4 0xfa4872984904f25f 0t0 TCP 192.168.123.227:58567->52.113.194.132:443 (ESTABLISHED)
ZscalerTu 38629 root 20u IPv4 0xfa487298489e725f 0t0 TCP 100.64.0.1:9000->52.112.238.155:58613 (ESTABLISHED)For analysing what is listening to a port lsof also gives you a short history of the state of the connection:
sudo lsof -i tcp:9000
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ZscalerTu 53971 root 13u IPv4 0xfa4872984902f4bf 0t0 TCP 100.64.0.1:cslistener (LISTEN)
ZscalerTu 53971 root 14u IPv4 0xfa48729848bdf25f 0t0 TCP localhost:cslistener (LISTEN)
ZscalerTu 53971 root 18u IPv4 0xfa487298489f112f 0t0 TCP 100.64.0.1:cslistener->147.161.204.128:63038 (ESTABLISHED)
ZscalerTu 53971 root 19u IPv4 0xfa487298489f69af 0t0 TCP 100.64.0.1:cslistener->147.161.204.128:63036 (CLOSE_WAIT)
ZscalerTu 53971 root 24u IPv4 0xfa4872984897674f 0t0 TCP 100.64.0.1:cslistener->a23-2-112-62.deploy.static.akamaitechnologies.com:63040 (ESTABLISHED)
ZscalerTu 53971 root 28u IPv4 0xfa487298489d138f 0t0 TCP localhost:63045->localhost:cslistener (CLOSE_WAIT)
ZscalerTu 53971 root 29u IPv4 0xfa4872984900912f 0t0 TCP localhost:cslistener->localhost:63045 (FIN_WAIT_2)Above you can see port 9000 (the zscaler port); after I have restarted zscaler. It shows the state transitions of the port.