Log network traffic with process ID on Mac OS X?
While the nettop is nice for viewing the snapshot of current connections, you can use the tcpdump to collect the data and process information as well. With tcpdump use the option -k to display metadata for the captured traffic.
-k Control the display of packet metadata via an optional metadata_arg argument. This is useful when displaying packet saved
in the pcap-ng file format or with interfaces that support the PKTAP data link type.
By default, when the metadata_arg optional argument is not specified, any available packet metadata information is
printed out.
The metadata_arg argument controls the display of specific packet metadata information using a flag word, where each
character corresponds to a type of packet metadata as follows:
I interface name (or interface ID)
N process name
P process ID
S service class
D direction
C comment
This is an Apple modification.
So for example displaying the process id and process name, you can do this:
tcpdump -k NP
I recently had this problem too. One approach you can potentially take is to use both tcpdump and nettop in parallel (each, side by side, in their own terminal shells), and visually observe as the network traffic manifests.
For example, my firewall recently caught suspicious looking network traffic coming out of my Mac's Ethernet, on a private subnet which I did not recognize and on a port (TCP 7000) which looked unusual. In one terminal shell I ran:
$ sudo tcpdump port 7000
and in the other terminal shell I ran:
$ sudo nettop -m tcp
When the network traffic showed up via tcpdump, it nearly instantly was also was added to the nettop output, which indicated it was Apple's AirPlay helper daemon running with process ID (PID) 87 in this example:
AirPlayXPCHelpe.87
This may not necessarily be practical for observing all situations where you're trying to catch something on your network which looks anomalous but as a starting point may be worth trying vs writing a probably more complex DTrace script.