Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

sudo lsof -i no longer returns most processes after updating to Sequoia

buggz said:
I don't understand as, sudo lsof -l|grep EST,
works here.
Click to expand...
But it doesn't show all the active connections. Again, for Safari, it only shows an open file named "RESTRICTED_OPENER_DOMAINS.wplist" somewhere in /private/var

It show all the ESTABLISHED connections of Mail, yes, but by all means not all the network activity which is going on.
At least not as I am used on Linux, for example.

However if i try

sudo tcpdump -i en7 udp

for example, where en7 is my LAN interface, I see a lot of "quic" connections, although it's still difficult to find the ones linked to Safari navigation.

Another more sophisticate network "sniffer" I recommend is Wireshark
 
buggz said:
It shows the ESTABLISHED connections.
Click to expand...

The OP is only interested in internet connections. I had misread the command you typed. I see now that what I thought was an "i", you typed "l". So, you're going to get a lot of stuff that has nothing to do with internet connections. When I use your command, I get irrelevant lines with the word MANIFEST in them. "lsof", which stands for "list open files", will list all kinds of files, not just sockets. Maybe you just mistyped.

With respect to internet sockets, ESTABLISHED only applies to TCP; it's one of a number states a TCP socket can be in.


Have you ever seen ESTABLISHED on a UDP socket?

Certainly the OP, who is missing a lot of stuff when using "lsof -i", will miss much more when filtering for TCP established connections.

JoeSilver said:
Another more sophisticate network "sniffer" I recommend is Wireshark
Click to expand...

Thanks for that. I hadn't thought to use it for the investigation. Using it I've found proof that Safari sockets are not included in the output of lsof. I opened the monitoring dashboard on my local OPNsense router. The command I used was "lsof -i@<ip of router>. Wireshark showed the TCP traffic and lsof showed nothing. I repeated the experiment with Firefox and lsof showed the open socket. This test eliminates any confusion of process naming or whether the traffic is TCP or UDP.

So - issue confirmed. This is significant.
 
humpbacktwale said:
But I have no idea what is actually causing it or how to fix it.
Click to expand...

Are you logged-in with a Regular User Account?

I do, and I cannot perform Administrator actions until I allow my $ADMINNAME to occupy the Terminal:

Code: 
% su - $ADMINNAME
Password: --> Authenticate

Then perform:

Code: 
% sudo lsof -l|grep EST
Password: --> Authenticate

Why?

Ever-intensifying efforts to secure the System?

Confuse seasoned Veterans?

Force us to buy iPads? ;)
 
I am a bit confused. I don't have a separate admin account, the environment variable ADMINNAME is not set and, even if it was possible, I can't see why we would need to login as admin and still have to run the command with sudo.
 
svenmany said:
But without further investigation, my only reason I think something is hidden is that you see a difference from the previous OS. I trust your memory.

One thing I do notice is that a a number of the Apple processes, which communicate to their servers via https, are using the UDP-based QUIC protocol. Maybe that's new and the reason you no longer see established connections to Apple servers that you used to see. But, that's just a guess.
Click to expand...
Hmmm now there's an idea. Maybe that explains it. Still very strange though. The same processes are running and appearing under network activty. But besides what you are suggesting, I cannot think of a single reason why they'd all suddenly no longer make remote connections.
 
humpbacktwale said:
Hmmm now there's an idea. Maybe that explains it. Still very strange though. The same processes are running and appearing under network activty. But besides what you are suggesting, I cannot think of a single reason why they'd all suddenly no longer make remote connections.
Click to expand...

You did read my post that I've confirmed processes are hidden in lsof output? It was at the end of my post #29.
 
There's no way Apple support will assist with this. Maybe raise the issue on the lsof Github repository.

github.com

Issues · lsof-org/lsof

LiSt Open Files. Contribute to lsof-org/lsof development by creating an account on GitHub.
github.com github.com

The following site suggests that the Darwin version is actively maintained there with all others. Hopefully Apple is not screwing around with it.

 
JoeSilver said:
I am a bit confused. I don't have a separate admin account, the environment variable ADMINNAME is not set and, even if it was possible, I can't see why we would need to login as admin and still have to run the command with sudo.
Click to expand...

I'm merely relating my personal experience.

I do not conduct my daily activities with Administrator privileges.

If I need to do something that requires Executive Privileges, I can temporarily slip-into my administrative-level account, and take care of whatever activity needs-be completed.

"$ADMINNAME' is not $env, but shorthand for "whatever-your-Administrator-account-name-may-be" ;)

As you continue your own deep-dives, you'll come to understand the nuance/stratification.

I seriously advise anyone to not occupy accounts with Administrator Account privileges on-the-daily . . . simple, safe Hex.
 
JoeSilver said:
I am a bit confused. I don't have a separate admin account, the environment variable ADMINNAME is not set and, even if it was possible, I can't see why we would need to login as admin and still have to run the command with sudo.
Click to expand...

The OP already said that they ran lsof using sudo without getting an error. Therefore the user that they were logged in as would have been represented in the /etc/sudoers file. So, it wouldn't have made any difference if they had run "su - <adminuser>" before running the sudo command.

My sudoers file has a line:

%admin ALL = (ALL) ALL

which means that any user in the admin group can become the superuser, aka root, using the sudo command.

If you're in the shell as a non-admin user, the su (switch user) command can be used to switch you to a user that is represented in the sudoers file. An alternative is to add the non-admin user to the sudoers file. That feels like it lessens the protection of the practice of using a non-admin account.
 
lsof version in 15.4.1 is 4.91. To build and run lsof 4.99.4 from source:
Code: 
git clone https://github.com/lsof-org/lsof.git
cd lsof     
./Configure darwin
make
./lsof -h
 
svenmany said:
You did read my post that I've confirmed processes are hidden in lsof output? It was at the end of my post #29.
Click to expand...
Apologies, I seen you were replying to someone else and thought the comment was related to their query. Well this is all very strange. Surely it must be a bug, as there's no reason why they'd just decide to hide that traffic from a termina tool.
 
I can confirm that lsof currently shipping simply can't see everything anymore. Here's APNS:

Code: 
# netstat -naptcp | grep 5223
tcp4       0      0  10.0.1.2.62934       17.57.145.40.5223      ESTABLISHED
# lsof -n -i@17.57.145.40
#

most likely because apsd is connecting via a kernel control socket. in this case, however nettop can see it:

Code: 
# nettop -l 1 -p 353
time                                                                                                             interface         state        bytes_in       bytes_out   rx_dupe    rx_ooo     re-tx   rtt_avg   rcvsize    tx_win  tc_class    tc_mgt   cc_algo P C R W arch
10:22:15.068310 apsd.353                                                                                                                        7192 B            80 KiB   694 B       0 B       0 B
10:22:15.065905    tcp4 10.0.1.2:63655<->17.57.145.40:5223                                                           en0   Established        7192 B            80 KiB   694 B       0 B       0 B    20.22 ms   128 KiB   124 KiB        RD         -     cubic - - - -   ch

edit to add, for completeness:

Code: 
# lsof -n -p 353
COMMAND PID USER   FD      TYPE             DEVICE SIZE/OFF                NODE NAME
apsd    353 root  cwd       DIR               1,13      704                   2 /
apsd    353 root  txt       REG               1,13  4238592 1152921500312231194 /System/Library/PrivateFrameworks/ApplePushService.framework/apsd
apsd    353 root  txt       REG               1,13    66840           117741019 /Library/Preferences/Logging/.plist-cache.vs9ei1aH
apsd    353 root  txt       REG               1,13    32768           117741085 /private/var/db/mds/messages/se_SecurityMessages
apsd    353 root  txt       REG               1,13   235024           115285746 /private/var/db/timezone/tz/2025b.1.0/icutz/icutz44l.dat
apsd    353 root  txt       REG               1,13   293171           117741238 /private/var/db/analyticsd/events.allowlist
apsd    353 root  txt       REG               1,13      110 1152921500312087311 /System/Library/CoreServices/SystemVersion.bundle/en_AU.lproj/SystemVersion.strings
apsd    353 root  txt       REG               1,13  2288832 1152921500312522782 /usr/lib/dyld
apsd    353 root  txt       REG               1,13    32768            57996658 /private/var/root/Library/Group Containers/group.com.apple.apsd/ApplePushService/aps.db-shm
apsd    353 root  txt       REG               1,13  1137487 1152921500312129906 /System/Library/Frameworks/CFNetwork.framework/Versions/A/Resources/DafsaData.bin
apsd    353 root  txt       REG               1,13 33979312 1152921500312533288 /usr/share/icu/icudt76l.dat
apsd    353 root  txt       REG               1,13   285127 1152921500312129910 /System/Library/Frameworks/CFNetwork.framework/Versions/A/Resources/Localizable.loctable
apsd    353 root    0r      CHR                3,2      0t0                 336 /dev/null
apsd    353 root    1u      CHR                3,2      0t0                 336 /dev/null
apsd    353 root    2u      CHR                3,2   0t6726                 336 /dev/null
apsd    353 root    3u      REG               1,13   946176            57996615 /private/var/root/Library/Group Containers/group.com.apple.apsd/ApplePushService/aps.db
apsd    353 root    4   NPOLICY                                               
apsd    353 root    5u      REG               1,13     4152            57996657 /private/var/root/Library/Group Containers/group.com.apple.apsd/ApplePushService/aps.db-wal
apsd    353 root    6u      REG               1,13    32768            57996658 /private/var/root/Library/Group Containers/group.com.apple.apsd/ApplePushService/aps.db-shm
apsd    353 root    7r      REG               1,13   946176            57996615 /private/var/root/Library/Group Containers/group.com.apple.apsd/ApplePushService/aps.db
apsd    353 root    8u    systm 0x78f4c0f338579e6f      0t0                     [ctl com.apple.netsrc id 7 unit 11]
apsd    353 root   10      CHAN             flowsw                              366038F0-E6FC-4FA7-888F-7C7AE39789E5[5] user-packet-pool
apsd    353 root   11u     unix 0x8b955eea09b03eee      0t0                     ->0x728ca4b80a7aa9c3
apsd    353 root   12r      REG               1,13    68777           128838846 /Library/Preferences/com.apple.apsd.plist

Not certain but I think the com.apple.netsrc on fd 8 represents the connection resource.
 
Last edited:
  • Like
Reactions: svenmany
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back