List all Open Internet Connections on a Mac from Terminal to Track Down Bandwidth Issues
Recently the LAN at my office had been running slower than usual, and I couldn’t pinpoint what was using up all the extra bandwidth. I had a suspicion that P2P traffic was to blame but I just couldn’t see anything obvious on the offending machine. So the question of course, is how do you see what processes are connecting to the internet or the outside world from Mac OS X?
Using the lsof command line tool, we can pass the -i argument to list only the active and open internet connections on our Macs, and we can find out if there’s anything peculiar (or in my case, something hidden) going on and connecting to an outside address, and, this command will also show you what the process ID is of the offending application or task, so that we can kill it and stop the activity if desired.
Display a List of All Open Internet Connections in OS X from the Command Line
This must be entered from the Terminal of OS X, but it can be used remotely with SSH or locally on a Mac.
I logged into the offending Mac and typed the following command:
You shouldn’t need to use sudo but you can if desired or required for your specific use case.
Output of lsof is a little busy but if you’re familiar with the command line it shouldn’t be anything too crazy looking.
Here’s an example of the output displayed by this lsof -i command string:
MacMini:~ macuser$ lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
SystemUIS 93 macuser 6u IPv4 0x04db27bc 0t0 UDP *:*
SystemUIS 93 macuser 10u IPv4 0x04db26e0 0t0 UDP *:*
iChatAgen 111 macuser 6u IPv4 0x07084734 0t0 UDP localhost:49490->localhost:49490
iChatAgen 111 macuser 10u IPv4 0x05666f28 0t0 TCP 192.168.0.101:53762->bos-m012c-sdr6.blue.aol.com:aol (ESTABLISHED)
synergys 129 macuser 5u IPv4 0x05f2f6b0 0t0 TCP *:24800 (LISTEN)
Safari 148 macuser 10u IPv4 0x06db46e0 0t0 TCP 192.168.0.101:57557->host29.prod.google.com:http (CLOSE_WAIT)
iTunes 644 macuser 21u IPv4 0x05f2f2a4 0t0 TCP *:daap (LISTEN)
In the above lsof output display there’s nothing unusual, but in my aforementioned network troubleshooting, I discovered a BitTorrent client running hidden in the background of one of my networks Macs, and it was seeding several large files! Naturally I killed the BitTorrent client, removed the application, deleted the files, and the Mac LAN is running at full speed again.
Listing Only Established Internet Connections
If you happen to want to only display the established connections (meaning they are actively communicating and a link has been established between the local machine and an outside IP), you can use this command variation of the aforementioned lsof string:
lsof -i | grep -E "(LISTEN|ESTABLISHED)"
You can combine this with ‘watch’ to get an automatically updated list of established connections too.
And if you happen to know the process name, you can always use grep for that specific or vague name too.
This is a bit advanced, but it works quite well for Mac users who are comfortable with the terminal and command line in general. More novice Mac users can use Private Eye to monitor internet and network connections in OS X, which is a free but excellent third party application that runs in the graphical user interface and is a bit easier to parse, particularly if you’re not experienced with the terminal.
[…] are other ways to see similar information from the command line, including lsof, open_ports, and then, branching away from the command line a bit you can use GeekTool with lsof to […]
[…] using a free command line utility called open_ports.sh. Open_Ports is much more useful than using lsof to list open internet connectionsbecause it provides extensive network information in a very easy to read format, including what […]
[…] want to stop the agent running. You probably noticed the agent using something like LittleSnitch or lsof when it tries to access an outside server (typically Akamai) when it checks for software updates. […]
Awwww, come on… torrent-ing the box office weekend movie isn’t worth the bandwidth speed? Hahaha…
Seriously though, thanks for the tip. thats a really useful command line to know.
Can I assume the perpetrator was disciplined for unauthorized use of company computers (if he/she was caught)?