如何识别哪个程序正在发送流量?

如何识别哪个程序正在发送流量?

我有一台安装了 PF 防火墙 Icefloor 的 Macbook。即使我的电脑处于空闲状态,我也看到大量流量(每秒多个请求)发送到属于 Google 的 IP。我的笔记本电脑上没有任何与 Google 相关的软件,因此我搞不清楚是什么程序在发送这些流量。日志中的内容如下所示(如果无法读取,请见谅):

00:00:00.210298 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61141 > 74.125.239.46.443: Flags [S], seq 2894619202, win 65535, options [mss 1460,sackOK,eol], length 0
00:00:00.000022 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61140 > 74.125.239.46.443: Flags [S], seq 1043451854, win 65535, options [mss 1460,sackOK,eol], length 0
00:00:00.000329 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61142 > 74.125.239.38.443: Flags [S], seq 3844968709, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 611114282 ecr 0,sackOK,eol], length 0
00:00:00.000122 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61143 > 74.125.239.38.443: Flags [S], seq 1475886131, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 611114282 ecr 0,sackOK,eol], length 0
00:00:01.104061 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61143 > 74.125.239.38.443: Flags [S], seq 1475886131, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 611115380 ecr 0,sackOK,eol], length 0
00:00:00.000021 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61142 > 74.125.239.38.443: Flags [S], seq 3844968709, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 611115380 ecr 0,sackOK,eol], length 0
00:00:01.104240 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61143 > 74.125.239.38.443: Flags [S], seq 1475886131, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 611116479 ecr 0,sackOK,eol], length 0
00:00:00.000012 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61142 > 74.125.239.38.443: Flags [S], seq 3844968709, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 611116479 ecr 0,sackOK,eol], length 0
00:00:00.401585 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61144 > 74.125.239.114.80: Flags [S], seq 1846641104, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 611116878 ecr 0,sackOK,eol], length 0
00:00:00.200267 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61121 > 74.125.239.115.80: Flags [S], seq 2827866371, win 65535, options [mss 1460,sackOK,eol], length 0
00:00:00.000028 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61120 > 74.125.239.114.80: Flags [S], seq 494227975, win 65535, options [mss 1460,sackOK,eol], length 0
00:00:00.000220 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61145 > 74.125.239.115.80: Flags [S], seq 3019819231, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 611117078 ecr 0,sackOK,eol], length 0
00:00:00.500626 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61143 > 74.125.239.38.443: Flags [S], seq 1475886131, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 611117577 ecr 0,sackOK,eol], length 0
00:00:00.000015 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61142 > 74.125.239.38.443: Flags [S], seq 3844968709, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 611117577 ecr 0,sackOK,eol], length 0
00:00:00.401023 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61144 > 74.125.239.114.80: Flags [S], seq 1846641104, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 611117977 ecr 0,sackOK,eol], length 0
00:00:00.201283 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61145 > 74.125.239.115.80: Flags [S], seq 3019819231, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 611118178 ecr 0,sackOK,eol], length 0

00:00:00.000021 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61142 > 74.125.239.38.443: Flags [S], seq 3844968709, win 65535, options [mss 1460,sackOK,eol], length 0
00:00:00.100267 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61148 > 74.125.239.115.80: Flags [S], seq 3938563181, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 611125783 ecr 0,sackOK,eol], length 0
00:00:00.000019 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61147 > 74.125.239.114.80: Flags [S], seq 569830445, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 611125783 ecr 0,sackOK,eol], length 0
00:00:01.102604 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61148 > 74.125.239.115.80: Flags [S], seq 3938563181, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 611126881 ecr 0,sackOK,eol], length 0
00:00:00.000020 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61147 > 74.125.239.114.80: Flags [S], seq 569830445, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 611126881 ecr 0,sackOK,eol], length 0
00:00:01.104752 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61148 > 74.125.239.115.80: Flags [S], seq 3938563181, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 611127980 ecr 0,sackOK,eol], length 0
00:00:00.000015 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61147 > 74.125.239.114.80: Flags [S], seq 569830445, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 611127980 ecr 0,sackOK,eol], length 0
00:00:00.200789 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61123 > 74.125.239.114.80: Flags [S], seq 3185633232, win 65535, options [mss 1460,sackOK,eol], length 0
00:00:00.100509 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61144 > 74.125.239.114.80: Flags [S], seq 1846641104, win 65535, options [mss 1460,sackOK,eol], length 0
00:00:00.000031 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61125 > 74.125.239.115.80: Flags [S], seq 2940959116, win 65535, options [mss 1460,sackOK,eol], length 0
00:00:00.100484 rule 1.800.icefloor.5/0(match): block out on en0: 69.181.243.26.61145 > 74.125.239.115.80: Flags [S], seq 3019819231, win 65535, options [mss 1460,sackOK,eol], length 0

有人能告诉我是否有办法识别哪个程序将这些流量发送到这些 IP 地址吗?

答案1

有一款名为 Little Snitch(35 美元)的程序,可以让您查看哪些流量来自哪个应用程序,并让您有选择地允许或拒绝流量。它还允许您阻止应用程序的特定服务并创建不同的设置配置文件(即,如果您被绑定到手机,可以快速禁用更新检查和 Spotify)。一次性使用成本高昂,但出奇地有用。

答案2

执行后可以lsof -i -n看到当前连接的列表,前两列显示了进程名和PID。

lsof是一个列出打开的文件和网络套接字的程序。-i代表仅显示网络连接,-n禁用主机解析。

因此,你可以使用它来识别应用程序:

lsof -i -n | grep 74.125.239

如果第一列没有帮助您识别应用程序,您可以获取 PID 并在 中进行搜索ps aux

相关内容