Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

sudo lsof -i no longer returns most processes after updating to Sequoia

buggz said:
I don't understand as, sudo lsof -l|grep EST,
works here.
Click to expand...
But it doesn't show all the active connections. Again, for Safari, it only shows an open file named "RESTRICTED_OPENER_DOMAINS.wplist" somewhere in /private/var

It show all the ESTABLISHED connections of Mail, yes, but by all means not all the network activity which is going on.
At least not as I am used on Linux, for example.

However if i try

sudo tcpdump -i en7 udp

for example, where en7 is my LAN interface, I see a lot of "quic" connections, although it's still difficult to find the ones linked to Safari navigation.

Another more sophisticate network "sniffer" I recommend is Wireshark
 
buggz said:
It shows the ESTABLISHED connections.
Click to expand...

The OP is only interested in internet connections. I had misread the command you typed. I see now that what I thought was an "i", you typed "l". So, you're going to get a lot of stuff that has nothing to do with internet connections. When I use your command, I get irrelevant lines with the word MANIFEST in them. "lsof", which stands for "list open files", will list all kinds of files, not just sockets. Maybe you just mistyped.

With respect to internet sockets, ESTABLISHED only applies to TCP; it's one of a number states a TCP socket can be in.


Have you ever seen ESTABLISHED on a UDP socket?

Certainly the OP, who is missing a lot of stuff when using "lsof -i", will miss much more when filtering for TCP established connections.

JoeSilver said:
Another more sophisticate network "sniffer" I recommend is Wireshark
Click to expand...

Thanks for that. I hadn't thought to use it for the investigation. Using it I've found proof that Safari sockets are not included in the output of lsof. I opened the monitoring dashboard on my local OPNsense router. The command I used was "lsof -i@<ip of router>. Wireshark showed the TCP traffic and lsof showed nothing. I repeated the experiment with Firefox and lsof showed the open socket. This test eliminates any confusion of process naming or whether the traffic is TCP or UDP.

So - issue confirmed. This is significant.
 
humpbacktwale said:
But I have no idea what is actually causing it or how to fix it.
Click to expand...

Are you logged-in with a Regular User Account?

I do, and I cannot perform Administrator actions until I allow my $ADMINNAME to occupy the Terminal:

Code: 
% su - $ADMINNAME
Password: --> Authenticate

Then perform:

Code: 
% sudo lsof -l|grep EST
Password: --> Authenticate

Why?

Ever-intensifying efforts to secure the System?

Confuse seasoned Veterans?

Force us to buy iPads? ;)
 
I am a bit confused. I don't have a separate admin account, the environment variable ADMINNAME is not set and, even if it was possible, I can't see why we would need to login as admin and still have to run the command with sudo.
 
svenmany said:
But without further investigation, my only reason I think something is hidden is that you see a difference from the previous OS. I trust your memory.

One thing I do notice is that a a number of the Apple processes, which communicate to their servers via https, are using the UDP-based QUIC protocol. Maybe that's new and the reason you no longer see established connections to Apple servers that you used to see. But, that's just a guess.
Click to expand...
Hmmm now there's an idea. Maybe that explains it. Still very strange though. The same processes are running and appearing under network activty. But besides what you are suggesting, I cannot think of a single reason why they'd all suddenly no longer make remote connections.
 
humpbacktwale said:
Hmmm now there's an idea. Maybe that explains it. Still very strange though. The same processes are running and appearing under network activty. But besides what you are suggesting, I cannot think of a single reason why they'd all suddenly no longer make remote connections.
Click to expand...

You did read my post that I've confirmed processes are hidden in lsof output? It was at the end of my post #29.
 
There's no way Apple support will assist with this. Maybe raise the issue on the lsof Github repository.

github.com

Issues · lsof-org/lsof

LiSt Open Files. Contribute to lsof-org/lsof development by creating an account on GitHub.
github.com github.com

The following site suggests that the Darwin version is actively maintained there with all others. Hopefully Apple is not screwing around with it.

 
JoeSilver said:
I am a bit confused. I don't have a separate admin account, the environment variable ADMINNAME is not set and, even if it was possible, I can't see why we would need to login as admin and still have to run the command with sudo.
Click to expand...

I'm merely relating my personal experience.

I do not conduct my daily activities with Administrator privileges.

If I need to do something that requires Executive Privileges, I can temporarily slip-into my administrative-level account, and take care of whatever activity needs-be completed.

"$ADMINNAME' is not $env, but shorthand for "whatever-your-Administrator-account-name-may-be" ;)

As you continue your own deep-dives, you'll come to understand the nuance/stratification.

I seriously advise anyone to not occupy accounts with Administrator Account privileges on-the-daily . . . simple, safe Hex.
 
JoeSilver said:
I am a bit confused. I don't have a separate admin account, the environment variable ADMINNAME is not set and, even if it was possible, I can't see why we would need to login as admin and still have to run the command with sudo.
Click to expand...

The OP already said that they ran lsof using sudo without getting an error. Therefore the user that they were logged in as would have been represented in the /etc/sudoers file. So, it wouldn't have made any difference if they had run "su - <adminuser>" before running the sudo command.

My sudoers file has a line:

%admin ALL = (ALL) ALL

which means that any user in the admin group can become the superuser, aka root, using the sudo command.

If you're in the shell as a non-admin user, the su (switch user) command can be used to switch you to a user that is represented in the sudoers file. An alternative is to add the non-admin user to the sudoers file. That feels like it lessens the protection of the practice of using a non-admin account.
 
lsof version in 15.4.1 is 4.91. To build and run lsof 4.99.4 from source:
Code: 
git clone https://github.com/lsof-org/lsof.git
cd lsof     
./Configure darwin
make
./lsof -h
 
svenmany said:
You did read my post that I've confirmed processes are hidden in lsof output? It was at the end of my post #29.
Click to expand...
Apologies, I seen you were replying to someone else and thought the comment was related to their query. Well this is all very strange. Surely it must be a bug, as there's no reason why they'd just decide to hide that traffic from a termina tool.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back