Listening Ports
Overview
Section titled “Overview”Evidence: Listening Ports
Description: Collect Listening Ports
Category: Network
Platform: macos
Short Name: lport
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Listening ports reveal network services exposed by the macOS host. This data is essential for identifying unauthorized services, backdoors, and network‑facing attack surface.
Data Collected
Section titled “Data Collected”This collector gathers structured data about listening ports.
Listening Ports Data
Section titled “Listening Ports Data”| Field | Description | Example |
|---|---|---|
PID | PID | 123 |
Port | Port | 123 |
Protocol | Protocol | 123 |
Family | Family | 123 |
Address | Address | Example value |
FileDescriptor | File Descriptor | 123 |
Socket | Socket | 123 |
Path | Path | Example value |
Collection Method
Section titled “Collection Method”This collector queries the listening_ports table via osquery and records results into listening_ports.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it correlates processes with ports, enabling detection of rogue services and covert listeners.