Recently I turned on UPnP (Universal Plug and Play) to play a bit with it and instantly noticed that someone/something opened some ports in my router and forwarded them to my machine. So of course I wanted to know what’s going on on my network. First idea “wireshark” but this only gives you information from which port these UPnP stuff goes, it doesn’t tell you the application that initiated these packages. For the curious here is the filter you can use:
udp.dstport == 1900 && http && ip.addr == 192.168.1.100
<Imagine a picture that shows you that port 4500 and 5353 are open>
So port 4500 and 5353 (both UDP) are forwarded to my Mac but which software is behind this? Strangely
$ lsof -i :4500 $ lsof -i :5353
Booth show nothing but with a small trick we get around this. In a different terminal we use the ncat command (which you can install with homebrew) with
$ ncat -u 4500
and when we now call again the lsof command we can see which program is causing it
$ lsof -i :4500 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ncat 57954 hashier 5u IPv6 0x9fa0d8326998071f 0t0 UDP localhost:49850->localhost:ipsec-msft $ lsof -i :5353 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ncat 57960 hashier 5u IPv6 0x9fa0d8326998071f 0t0 UDP localhost:49851->localhost:mdns$
We cann see that ncat is making a connections on UDP to localhost and the programs which are “answering” those requests are: ipsec-msft and mdns. This raised an eye brow because I didn’t do anything with vpn or IPsec so I started googling and found this nice apple page which explained to me which services forward those ports and apparently it’s just “Back to My Mac” and some “Bonjour” stuff.
– Removed a typo, of course I don’t want ncat to listen, so I removed the -l flag
– Why do we do this with ncat anyway? Sometimes the service is not started until a package arrives on the given port number and we create a udp package to that port number and then the service get’s started. If we don’t do this we just won’t see anything running in lsof.