On my MacBook Pro (Monterey), I was looking at packet captures over a period of a few hours and I noticed that something on my box is, every few minutes, pinging other computers on the local network at port 7000 (sometimes my wife's work computer and sometimes my baby monitor). The recipients respond to the SYN packets with RST packets, so no connection is being established. Is there a way to set up some sort of watchdog which identifies which process/executable is attempting the connections when they occur?

I'm looking for a packet sniffer app that runs on MacOS in a GUI (I know I can accomplish some functionality with native CLI utilities like tcpdump). Previously I used Packet Peeper , however it doesn't seem to run in MacOS 10.14 Mojave (the application opens and seems to run, but no window appears). _* [Other questions](https://apple.stackexchange.com/questions/15928/natively-written-packet-sniffer-inspector-for-os-x) have also mentioned PP as the solution, but they're all fairly old._

I'm wondering how I can either kill it or change the port it listens on. Neither lsof -nP -i4TCP:8021 | grep LISTEN nor netstat -av | grep 8021 or launchctl list | awk 'NR>1 {print $3}' | xargs -I % sh -c 'launchctl list "%"' > launchctl.log give me the process ID so I can kill it or get more info.

I am using macOS Ventura 13.3. I know that in Windows and Linux I can enable/disable TCP timestamps via netsh and sysctl commands. In Linux, it is the net.ipv4.tcp_timestamps parameter. macOS has the sysctl command, but I could not find net.ipv4.tcp_timestamps or something similar.

My work requires long-running connections to databases that required this sysctl setting in earlier OSX versions. Since it no longer exists, these connections appear to remain open, but they disconnect. The database client awaits the results that never come while the database shows the query as completed. Is there any setting that can replace the functionality that net.inet.tcp.keepidle provided?

I've activate the pmtu attribute in my machine.

sysctl net.inet.tcp.path_mtu_discovery
net.inet.tcp.path_mtu_discovery: 1

then I've used /usr/bin/nscurl to send messages to a remote gateway with mtu=1000, in hope that it will trigger the pmtu automatically. However, I still witness packet fragmentation. > I Used nscurl since In Apple forum https://developer.apple.com/forums/thread/710848 it looks that if I use NSURLSession framework, it also perform pmtu discover behind the scenes. My question is how can I read the pmtu cache and check what is the selected mtu for a specific path (i've tried netstat -rn but it mtu is missing there) Also, what is the best way to trigger pmtu discovery? UPDATE : after analyzing nscurl traffic, it looks like the pmtu is being calculated on each message passing. However, once the connection is closed, I pmtu is removed and it's being re-calculated all over again. the following packet dump show that first, we try mtu size packets (size 1500) with DF bit set. the rest of the message is sent with ~1000 bytes sized packets (i've deliberately set the mtu of one of the hops to 1000). The problem is that if I try nscurl again, it re-calulate the mtu all over again. I want to be able to read the calculated pmtu and use it elsewhere. Thanks

I see a weird connection request on macos m1 for nettop. This happens on other programs as well. these ips are blocked, but I am wondering what is causing this. This happens specifically on macos, which is why I am asking this here Is there a way to find out what is triggering this? While I showed the screenshot for Google Chrome, this happens with other applications as well.

How do I terminate ALL the ESTABLISHED tcp connections in Terminal? I can use the command below to get a list of active & established connections: netstat -anvp tcp | awk 'NR<3 || /ESTABLISHED/‘ I would like to terminate the connections one by one OR all at the same time. How can I do this?

I've run NMAP several times on my home network in my campaign of learning the basics of network security. So far all my devices except my PC have been Iphones/Chromebooks so nothing has been found in the way of open ports and so on (Apart from a few clear ones i.e 443/80). However, runnining Nmap today I've found these ports randomly opened on the macaddress + Ip address associated with an Iphone 6(IOS V.12.56) I have at home. - 1062/tcp filtered veracity - 1088/tcp filtered cplscrambler-al - 1105/tcp filtered ftranhc - 1217/tcp filtered hpss-ndapi - 2002/tcp filtered globe - 2006/tcp filtered invokator - 2323/tcp filtered 3d-nfsd - 4443/tcp filtered pharos - 5102/tcp filtered admeng - 6101/tcp filtered backupexec - 6346/tcp filtered gnutella - 7103/tcp filtered unknown - 18101/tcp filtered unknown - 26214/tcp filtered unknown - 44443/tcp filtered coldfusion-auth Highly confused and wondering if anyone recognizes these ports for Iphone. Off the bat I see things like Gnutella and coldfusion, to name a few. Highly boggling. Is it the case that Iphone has these specific ports configured. If so, why are they configured if anyone knows? I've referenced some ports with Apple's official statement on TCP/UDP ports [[1] ] and none seem to match. For comparison when doing a network scan on my Iphone 6s(another device), I dont get these results let alone any detection of ports (if I recall correctly, maybe I've seen 443/80 open)

Scanning for Bonjour devices on my network shows a long and obscure string associated with my AirPort Base station using this Bonjour protocol _acp-sync._tcp. What is this? What is it for?

This is a bit of an unusual question but I have a Mac server that gets hit with a lot of DDoS attacks. Usually my data center's mitigation system catches them but sometimes they slip through. When they do, they often can completely kill my system's TCP/IP. Even accessing localhost does not work. TCP/IP is completely dead. But the system is not frozen. It still runs perfectly fine otherwise. I know this because once I reboot the system, I can see all of the log entries from my scripts from the entire time it was offline. I have screen shots of the desktop from when it was offline. Rebooting the server in this state returns it to normal. But I'm hoping there's some way I can restart just the TCPIP stack without rebooting the whole OS? That would at least let me regain access to the machine in a way that, while clumsy, would be significantly less so than hard remote reboots via IPMI. This is all just a band-aide while we work out ways to shore up the DDoS mitigation. But it would be a good band-aide. Also useful, and along similar lines, would be a way to hard flush ALL TCP connections, established, half open, everything including all state information.

I've got a Mac web server that's been getting hit pretty regularly with SYN half-open attacks. I've looked in to various ways to combat this. I've found a lot of general information, but not very much specific information. The "easiest" approach seems to be tweaking tcp settings in sysctl.conf, but I'm having a hard time finding any kind of documentation of these settings. I probably want to increase the total number of available half-open connections, I probably want to reduce the timeout for those connections too, but this is a topic that's not very well documented. Some of the things I've read suggest you shouldn't raise the half-open connection count limit too high because it uses up more memory. But how much memory can an half open connection really consume? A few bytes? Even if it's 1KB each, my server has 24 GB. Right now the server's limit is 512 half-open connections but I feel like tens of thousands should be no sweat, unless there is some other factor I'm not aware of? Which is very possible because again, so little documentation. Moving on, another approach is SYN Proxying/SYN Cookies. These methods remember the details of a syn request, then drop it. Then re-opens it again if the responding ACK ever comes. I don't really see how that is functionally different than just opening the connections directly anyway, it seems like that is how TCP should work so it is inherently resistant to these SYN attacks. But that's beside the point..... So the easiest way to use SYN Proxying for me is to enable it in my pf firewall. But when I try, it doesn't seem to work properly. I did eventually read something that said synproxying in pf doesn't work properly on macOS. Another topic with very little documentation. The other option is to use syncookies, enabled in sysctl.conf. I haven't tried this yet. Part of the reason is because both syncookies and synproxying always have disclaimers about how you shouldn't use it constantly, only when you are under attack etc. Well, ignoring the fact that once you are under attack, it is too late to enable syncookies, I also would really like some elaboration on that warning! That sounds very important. WHY would you not want to use proxying or cookies all the time? What are the downsides if I do? The SYN half-open attack does not seem particularly complicated, I'm surprised there aren't easier ways to mitigate it. To be honest, I'm surprised it wasn't all but eliminated with changes to the way all TCP functions.

I can access all website with standard port(80 and 443) example: domain.com, but why I cant access example.com:3030? I cant connect to MySQL and PostgreSQL, via direct host/port to external IP, but I can connect to MySQL from localhost. I can connect to all external/public hostname/ip, if I try this command: curl domain.com:6030 the result is > curl: (7) Failed to connect to domain.com port 6030: Operation timed > out but I can connect to port 80,443 and 21. I can open domain.com:6030 using another device, but why I can not using my mac? How to fix that? I never turn on firewall.

I have a wireless printer that's connected to our private LAN in our workplace. There is a weird configuration for the printer that it requires two printers to be added. For color - 192.168.51.xxx and one for grayscale - 192.168.51.xxx_1 <--- There's a problem on MacOS that says it cannot connect to a printer with that IP but on windows it runs completely fine. The company previously worked with another IT company and they got it set up on one macbook in the entire workplace, but I cannot replicate the steps that they've taken. Maybe there's other ways to add a printer, besides the regular control panel? I've only seen posts about ports, but not with this kind of IP as it's unusual. The printer model is - Konica Minolta INEO+ 220

I'm looking for a simple command that will list **_ALL_** currently active and/or otherwise bound TCP & UDP sockets, corresponding port numbers and their respective states (i.e. ESTABLISHED, LISTEN, WAIT, etc.) Sort of like a ***reverse*** nmap scan is what I'm going for here.

I'm trying to connect to a device over Ethernet and set a static IP for the Ethernet to talk to the device. When I do this, I can talk to the device but it kills connection to the Wi-Fi and I can't use the Internet. Is there a way to keep the static IP just for the Ethernet and keep the Wi-Fi connection as dynamic?

Every 7–10 days, all internet browsing on my Mac stops working. I can use Firefox, Safari, Chrome, but I'm able to surf only Google and few other sites. So I tried to telnet a webserver on the local LAN on port 80 telnet 192.168.10.10 80 telnet says "connected", but "tcpdump -n host clienthost" at the server side can't see any traffic. I expect to see at least a SYN packet from the client. When I telnet the same server to port 25 telnet 192.168.10.10 25 I can see immediately the regular SYN traffic coming on the server's tcpdump. My suspect is that the Mac has some "socket filter" or "IP filter" or "Interface filter" installed, which is intercepting traffic on port 80 and forwarding to the real server only when after a correct HTTP request is composed on the socket (I composed it with telnet). Please note that OS X firewall and parental control are both switched off. Who is intercepting all my HTTP traffic? I have uninstalled all anti-viruses now. Is there a way, a commandline tool or an application, which enumerates all socket/IP/interface filters and remove them? A similar tool for windows could be sysinternal's "autoruns", but on OS X? EDIT: The solution to the specific problem has been found: it was OS X parental control. It was disabled, never activated, but the parental control filter was still filtering port 80. We entered on System Preferences -> Parental control, clicked on the lock icon and unlocked with the user's password. Then we clicked a second time on the lock icon to lock again, and traffic on port 80 has been immediately started to flow directly from my telnet client to the server. A bug on apple parental control activation ? The question is still open: how can I enumerate all IP/socket/interface filters installed on OS X ?

How can I find out which algorithm OSX10.7 uses (NewReno, SACK, Tahoe...) and if possible, how can I change it?

Is it "safe" to install an App as such: (1) using only a cellular data connection (wifi turned off) login to the App Store. (2) enable wifi. (3) connect to public wifi network. (4) disable cellular data. (5) download app. (6) enable cellular data. (7) disable wifi. (8) install app. The iPhone can jump between wifi and cellular data without breaking a tcp connection right?

I used nmap to portscan my iPod Touch, and found a single port open, which was port 62078, labeled as "iphone-sync". I did some research, and found that the proccess behind it was a program called "lockdownd" which could be used to interface with the iPod. I was wondering if and how I could use this to interface with and possibly control my iPod.