Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
sudo lsof -i no longer returns most processes after updating to Sequoia
- Thread starter humpbacktwale
- Start date
-
- Tags
- lsof sequoia 15.3.2 terminal
- Sort by reaction score
But it doesn't show all the active connections. Again, for Safari, it only shows an open file named "RESTRICTED_OPENER_DOMAINS.wplist" somewhere in /private/var
It show all the ESTABLISHED connections of Mail, yes, but by all means not all the network activity which is going on.
At least not as I am used on Linux, for example.
However if i try
sudo tcpdump -i en7 udpfor example, where en7 is my LAN interface, I see a lot of "quic" connections, although it's still difficult to find the ones linked to Safari navigation.
Another more sophisticate network "sniffer" I recommend is Wireshark
The OP is only interested in internet connections. I had misread the command you typed. I see now that what I thought was an "i", you typed "l". So, you're going to get a lot of stuff that has nothing to do with internet connections. When I use your command, I get irrelevant lines with the word MANIFEST in them. "lsof", which stands for "list open files", will list all kinds of files, not just sockets. Maybe you just mistyped.
With respect to internet sockets, ESTABLISHED only applies to TCP; it's one of a number states a TCP socket can be in.
Have you ever seen ESTABLISHED on a UDP socket?
Certainly the OP, who is missing a lot of stuff when using "lsof -i", will miss much more when filtering for TCP established connections.
Thanks for that. I hadn't thought to use it for the investigation. Using it I've found proof that Safari sockets are not included in the output of lsof. I opened the monitoring dashboard on my local OPNsense router. The command I used was "lsof -i@<ip of router>. Wireshark showed the TCP traffic and lsof showed nothing. I repeated the experiment with Firefox and lsof showed the open socket. This test eliminates any confusion of process naming or whether the traffic is TCP or UDP.
So - issue confirmed. This is significant.
Are you logged-in with a Regular User Account?
I do, and I cannot perform Administrator actions until I allow my $ADMINNAME to occupy the Terminal:
Code:
% su - $ADMINNAME
Password: --> AuthenticateThen perform:
Code:
% sudo lsof -l|grep EST
Password: --> AuthenticateWhy?
Ever-intensifying efforts to secure the System?
Confuse seasoned Veterans?
Force us to buy iPads?
Hmmm now there's an idea. Maybe that explains it. Still very strange though. The same processes are running and appearing under network activty. But besides what you are suggesting, I cannot think of a single reason why they'd all suddenly no longer make remote connections.
You did read my post that I've confirmed processes are hidden in lsof output? It was at the end of my post #29.
There's no way Apple support will assist with this. Maybe raise the issue on the lsof Github repository.
github.com
The following site suggests that the Darwin version is actively maintained there with all others. Hopefully Apple is not screwing around with it.
Issues · lsof-org/lsof
LiSt Open Files. Contribute to lsof-org/lsof development by creating an account on GitHub.
github.com
The following site suggests that the Darwin version is actively maintained there with all others. Hopefully Apple is not screwing around with it.