Determining socket owners on Mac OS X

In the Linux world one has netstat and fuser to figure out which PID has opened a given socket. In Mac OS X, netstat does not provide PID's and fuser is missing...

I found this interesting article on how to solve this dillema.

Basically you use the lsof utility that displays a list of open files (a socket is handled as a special file) and the owner PID's:

waldo@waldopcm waldo $ sudo lsof -i -P | grep 500
Password:
racoon 189 root 6u IPv4 0x9a92820 0t0 UDP 10.211.55.4:500
racoon 189 root 7u IPv4 0x8deb0d0 0t0 UDP 10.211.55.4:4500
racoon 189 root 8u IPv6 0x9a92270 0t0 UDP [fe80:8::21c:42ff:fe00:1]:500
racoon 189 root 9u IPv4 0x9a92410 0t0 UDP 10.37.129.3:500
racoon 189 root 10u IPv4 0x9a920d0 0t0 UDP 10.37.129.3:4500
racoon 189 root 11u IPv6 0xa0af380 0t0 UDP [fe80:7::21c:42ff:fe00:0]:500
racoon 189 root 12u IPv4 0xa0af520 0t0 UDP 169.254.108.92:500
racoon 189 root 13u IPv4 0x9a92c30 0t0 UDP 169.254.108.92:4500
racoon 189 root 14u IPv4 0x8deb4e0 0t0 UDP 192.168.0.72:500
racoon 189 root 15u IPv4 0xa0b5270 0t0 UDP 192.168.0.72:4500
racoon 189 root 16u IPv4 0x9a93790 0t0 UDP localhost:500
racoon 189 root 17u IPv4 0x9a924e0 0t0 UDP localhost:4500
racoon 189 root 18u IPv6 0x9a93040 0t0 UDP [fe80:1::1]:500
racoon 189 root 19u IPv6 0x8dece10 0t0 UDP localhost:500

In this case port 500 is a UDP port opened by process with PID 189.

It is then a trivial matter of finding the process's name:

waldo@waldopcm waldo $ ps auxp 189
root 189 0.0 -0.0 27680 328 ?? Ss Sat07PM 0:01.06 racoon

or you could simply determine the name from the first column in the output from lsof.

racoon is Mac OS X's IKE (ISAKMP/Oakley) key management daemon. This process interfered with my Cisco VPN.

Voila!