With all applications closed, tcpdump reveals that my Mac is sending packets to a handful of IPs sporadically. They're are bursts of packets with no data payload and with unusual TCP sequence numbers (like a covert channel). Is there a way to determine which process is originating these packets from either the command line or programmatically?
Note: I have used ipfw to egr开发者_如何学Goess filter the destination IPs, so I am not worried about data exfiltration.
I'd be lazy and simply install Little Snitch (free trial available) ;)
However, if it's a TCP connection, you should easily be able to find the culprit in netstat
if you check during or shortly after the suspicious packets are sent.
And if you want to get really fancy, write yourself a kernel extension that does what you want. Apple has a lovely guide and even sample code that does just what you are looking for.
Apple has made a modification to tcpdump so it supports a few metadata options, from the manual page of Mac OS X tcpdump:
-k Control the display of packet metadata via an optional metadata_arg argument. This is useful when displaying packet saved in the pcap-ng file format
or with interfaces that support the PKTAP data link type.
By default, when the metadata_arg optional argument is not specified, any available packet metadata information is printed out.
The metadata_arg argument controls the display of specific packet metadata information using a flag word, where each character corresponds to a type
of packet metadata as follows:
I interface name (or interface ID)
N process name
P process ID
S service class
D direction
C comment
This is an Apple modification.
So when running tcpdump with -k N we can see the process name:
19:12:51.823518 pid Google Chrome.313 svc BK IP 192.168.100.191.49424 > 216.58.209.133.443: Flags [.], ack 74, win 4093, options [nop,nop,TS val 507317615 ecr 3185588461], length 0
19:12:51.823518 pid Google Chrome.313 svc BK IP 192.168.100.191.49424 > 216.58.209.133.443: Flags [.], ack 329, win 4088, options [nop,nop,TS val 507317615 ecr 3185588462], length 0
I had the same question, with one exception - my TCP traffic was on lo0 and it was not established, but some process was trying to connect to localhost and some port. My task was to identify who is trying to connect. Little Snitch was useless at that point.
But I found that nettop
is pretty helpful. I found process in its output constantly changing TCP connection states SynSent/Fin/etc and it was what I was looking for.
精彩评论