Who is listening on a given TCP port on Mac OS X? – Dev

The best answers to the question “Who is listening on a given TCP port on Mac OS X?” in the category Dev.

QUESTION:

On Linux, I can use netstat -pntl | grep $PORT or fuser -n tcp $PORT to find out which process (PID) is listening on the specified TCP port. How do I get the same information on Mac OS X?

ANSWER:

Up to macOS 12 Monterey, every version of macOS supports this:

sudo lsof -iTCP -sTCP:LISTEN -n -P

Personally I’ve end up with this simple function in my ~/.bash_profile:

listening() {
    if [ $# -eq 0 ]; then
        sudo lsof -iTCP -sTCP:LISTEN -n -P
    elif [ $# -eq 1 ]; then
        sudo lsof -iTCP -sTCP:LISTEN -n -P | grep -i --color $1
    else
        echo "Usage: listening [pattern]"
    fi
}

Then listening command gives you a listing of processes listening on some port and listening smth greps this for some pattern.

Having this, it’s quite easy to ask about particular process, e.g. listening dropbox, or port, e.g. listening 22.

lsof command has some specialized options for asking about port, protocol, process etc. but personally I’ve found above function much more handy, since I don’t need to remember all these low-level options. lsof is quite powerful tool, but unfortunately not so comfy to use.

ANSWER:

On macOS Big Sur and later, use this command:

sudo lsof -i -P | grep LISTEN

or to just see just IPv4:

sudo lsof -nP -i4TCP:$PORT | grep LISTEN

On older versions, use one of the following forms:

sudo lsof -nP -iTCP:$PORT | grep LISTEN
sudo lsof -nP -i:$PORT | grep LISTEN

Substitute $PORT with the port number or a comma-separated list of port numbers.

Prepend sudo (followed by a space) if you need information on ports below #1024.

The -n flag is for displaying IP addresses instead of host names. This makes the command execute much faster, because DNS lookups to get the host names can be slow (several seconds or a minute for many hosts).

The -P flag is for displaying raw port numbers instead of resolved names like http, ftp or more esoteric service names like dpserve, socalia.

See the comments for more options.

For completeness, because frequently used together:

To kill the PID:

sudo kill -9 <PID>
# kill -9 60401

ANSWER:

Update January 2016

Really surprised no-one has suggested:

lsof -i :PORT_NUMBER

to get the basic information required. For instance, checking on port 1337:

lsof -i :1337

Other variations, depending on circumstances:

sudo lsof -i :1337
lsof -i tcp:1337

You can easily build on this to extract the PID itself. For example:

lsof -t -i :1337

which is also equivalent (in result) to this command:

lsof -i :1337 | awk '{ print $2; }' | head -n 2 | grep -v PID

Quick illustration:

enter image description here

For completeness, because frequently used together:

To kill the PID:

kill -9 <PID>
# kill -9 60401

or as a one liner:

kill -9 $(lsof -t -i :1337)

ANSWER:

You can also use:

sudo lsof -i -n -P | grep TCP

This works in Mavericks.