macOS Network Ports – Why macOS Has Many Strange Ports Open and Their Functions

macosNetwork

I did an nmap scan for my private IP address

nmap -p- 192.168.1.123

and got the following open ports back:

50323/tcp open  unknown
50334/tcp open  unknown
50641/tcp open  unknown
57621/tcp open  unknown
57650/tcp open  unknown
64448/tcp open  unknown

A more detailed scan about those specific ports also didn't yield much.

nmap -p 64448,57650,57621,50641,50334,50323 -A 192.168.1.123

PORT      STATE SERVICE    VERSION
50323/tcp open  unknown
50334/tcp open  unknown
| fingerprint-strings:
|   NULL:
|_    {"type":"Tier1","version":"1.0"}
50641/tcp open  tcpwrapped
57621/tcp open  unknown
57650/tcp open  tcpwrapped
64448/tcp open  tcpwrapped

I'm fairly confident that I'm not responsible for opening them. They're most likely there because Apple uses them for services.

I wanted to know what they do, so I'd know if I should disable them or not for security purposes. However, googling the port names gave nothing. So, I think we should give a short description about each port and the corresponding service, so that others will be easily able to find this information in the future.

There was no option to answer my own question, so note that I'm working on providing the list right now.

Best Answer

I have compiled a list of all the services and what they do.

Checking it yourself

If you have different ports open and want to check for yourself, you can use

sudo lsof -i :50323 to see the service running on the port 50323.

ps aux | grep rapportd to find out some more information about the service rapportd, like the executable path.

codesign -vvvv -R="anchor apple" /usr/libexec/rapportd to see if the service is correctly signed by Apple. Doesn't apply to programs that aren't made by Apple.

man rapportd to read the documentation about the service

Results

Port 50323:

Service rapportd at /usr/exec/rapportd, signed by Apple. It is a Daemon that enables Phone Call Handoff and other communication features between Apple devices.

Port 50334:

This is Spotify, which is a music streaming service. Not installed by default. I think it might be related to Spotify Connect, a service which allows connecting your phone to your computer, and streaming music from your computer to your phone (or any other device which supports it)

Port 50641:

This is IntelliJ Idea, an integrated development environment for programmers. Not installed by default. Also it's tcpwrapped, meaning you can't actually do anything with it, since it drops the connection whenever you actually try to send it anything (correct me if I'm wrong). I think IDEs usually need a port open for the debugging functionality.

Port 57621:

Also Spotify.

Port 57650:

This is gradle's daemon. It's a tool programmers use. Not installed by default. Also it's tcpwrapped. Not sure why it needs to be listening on a port. If someone knows, then I'd be curious to know.

Port 64448:

Also gradle. tcpwrapped.

Related Question