OS X Sockets and Their Processes

How do we list sockets with the process names and PIDs that occupy them in OS X?

Imagine that our goal is to get a list of listening TCP sockets on OS X and the process names/PIDs that are using them. How would we go about displaying this data? We can start by asking ourselves how we would do it in Linux.

Using ss

In Debian GNU/Linux we can use the ss command with the -n (do not resolve service names) -l (display listening sockets) -p (display process using socket) and -t (display only TCP sockets) flags.

root@debian:~# ss -nlpt

This gives us the output that we are looking for. Once we move to OS  X we discover that the ss command is not available. We always want to live off the land and not install anything special to gather our data. Using ss is not an option and we move on to netstat.

Using netstat

Although netstat and ss are different programs the flags in this next example have the same meaning. (As we’ll see this is simply not true for the netstat build included in OS X.) Use the following command/flag combination in Linux.

root@debian:~# netstat -nlpt

Like ss, netstat on Linux gives us the output we are looking for. Even better is that OS X comes with netstat. Let’s try that same command/flag combination in OS X.

osx:~ root# netstat -nlpt
netstat: t: unknown or uninstrumented protocol

The OS X build of netstat has flags that are different than what we expect on Linux. Some flags have different functions while some functions simply do not exist. Notably here the -p flag does not display the process name and PID in OS X. Instead it is used to specify a protocol to filter. The error above is the result of us specifying the protocol t, which does not exist. (Rearranging our flags will give us a different error but the cause will continue to be our -p flag not being provided a protocol to filter.) The real bad news comes when we read the OS X netstat man page and find out that there is no flag to display the process information that we are looking for.

This is an obstacle for us but not one that we can’t overcome. We can move on to lsof.

Using lsof

We can use lsof to do a lot of things, one of which is to show socket information. In fact we can use the right flags to display the exact information we are looking for.

Here’s the command and flags that I tend to use in OS X. Run it in both Linux and OS X to verify that the application behaves identically on each system.

root@debian:~# lsof -nPl -iTCP -sTCP:LISTEN
osx:~ root# lsof -nPl -iTCP -sTCP:LISTEN

The command works and we get the identical output formats in both Linux and OS X.

We can display and collect the information we are looking for.

Too Long; Didn’t Read

Use the following command/flag combination in OS X to list listening TCP sockets with the process name and PID associated with them.

osx:~ root# lsof -nPl -iTCP -sTCP:LISTEN

You can check out the lsof man page to change the display options and filters as necessary. Many options are available and piping any output into grep may provide additional granularity.

Do you know of a better way?

Let me know! I’d love to know of any better or different ways to gather this kind of data in OS X.

OS X Sockets and Their Processes