What's Listening to That Port?

How to determine what process is listening to a port under OS X

Many times, people are confused when they try to run a program, and it tells them that it can’t bind to a port because the port is already in use. How can you figure this out? First, like most good things, you have to open up Terminal.app.

Once there, you need to use sudo, or get root through su.

The quickest way to see if a port is in use is to use netstat and grep. Let’s say were looking for port 80:

$ netstat -an | grep 80
tcp4 0 0 *.80 *.* LISTEN
2a0c880 stream 0 0 2c02f78 0 0 0 /private/var/run/cupsd
3b3b880 stream 0 0 0 3b3b908 0 0 /var/run/mDNSResponder
3b3b908 stream 0 0 0 3b3b880 0 0
25b9c38 dgram 0 0 0 25b9880 25b9880 0
25b9880 dgram 0 0 0 25b9c38 25b9c38 0

The first line (tcp4…) shows us that port 80 is indeed in use, and listening for a connection. This is good information, but doesn’t tell you what process is bound to the port. To find that out is a two-step process.

lsof (list open files) is the first tool to use. Since everything under Unix is (basically) treated as a file, even connected sockets, we can find the port itself that way:

# lsof -i tcp:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 492 root 16u IPv4 0×02438aa0 0t0 TCP 192.168.70.8:http (LISTEN)
httpd 4419 www 16u IPv4 0×02438aa0 0t0 TCP 192.168.70.8:http (LISTEN)
httpd 5057 www 16u IPv4 0×02438aa0 0t0 TCP 192.168.70.8:http (LISTEN)
httpd 9242 www 16u IPv4 0×02438aa0 0t0 TCP 192.168.70.8:http (LISTEN)
httpd 16477 www 16u IPv4 0×02438aa0 0t0 TCP 192.168.70.8:http (LISTEN)
httpd 22096 www 16u IPv4 0×02438aa0 0t0 TCP 192.168.70.8:http (LISTEN)

Great, so now we know that a process called httpd is bound to port 80. That’s good, but we can’t stop there! You’ll notice that the second column lists the process ID (PID). Let’s check that out using ps (process status).

# ps ax | grep [4]92
492 ?? Ss 1:27.61 /usr/sbin/httpd

Now we know exactly which executable is taking that port. This last bit is a critical step. Why do you care? If you’re after a non-reserved port (anything above 1024), any process can bind to a port. Let’s imagine that you run services for some curious users. Someone could compile up an app to listen to a port and call it “httpd”. When you look at a regular process listing, this may be normal, and seeing httpd in your process list won’t set off any alarms. However, when something is grabbing a port, and you have a question about it, make sure you track it down to the exact executable that is doing so.

As a last note: In addition to the lsof command above, you can also look at all bindings with the “-P” switch:

$ lsof -i -P
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
iChatAgen 329 marczak 9u IPv4 0×0280d530 0t0 TCP *:5298 (LISTEN)
iChat 3867 marczak 15u IPv4 0×0280a098 0t0 TCP *:* (CLOSED)
iChat 3867 marczak 16u IPv4 0×04470b08 0t0 TCP *:* (CLOSED)
iChat 3867 marczak 19u IPv4 0×0251a450 0t0 UDP *:5060
ARDAgent 4977 marczak 21u IPv4 0×029e2d40 0t0 UDP *:3283
AppleVNCS 4978 marczak 23u IPv4 0×02a3fdac 0t0 TCP *:5900 (LISTEN)

That should help you track down what’s listing on a particular port in OS X - though, some other platforms have slightly more straight-forward ways of doing this.