Unix Sockets as Portrayed via Netstat

Question

I do not have much experience with Unix sockets, but I hope this is the place to start. I want to start with understanding what is going on with a netstat -n command. Is it normal behavior to have around 400 streams upon no software installation above and beyond the OS? And then another 400 dgram entries both under Active LOCAL (UNIX) domain sockets? [Below is a snippet where they extend for hundreds of entries.]

Address          Type   Recv-Q Send-Q            Inode             Conn             
394b9c495bcd4b89 stream      0      0                0 193ac72f0b316ba8  

aad1111fff32de43 dgram       0      0                0 5210cf1c5b5255bf                0 6a8b66dc8ed275ec

Immediately following the above output we get into Active Kernel Event Sockets. Again, this is "Active", but is it typical upon a fresh install? The Kernel Sockets extend for about 500 entries using processes such as netsrc, utun_control, and netagent.

Registered kernel control modules
id       flags    pcbcount rcvbuf   sndbuf   name 
       1        5        0     8192    32768 com.apple.network.tcp_ccdebug 
       2       28        1     8192   131072 com.apple.flow-divert 
       3        1       49    65536    65536 com.apple.net.netagent 
       4        9        0   524288   524288 com.apple.content-filter 
       5       29        5   524288   524288 com.apple.net.utun_control 
       6       21        0    65536    65536 com.apple.net.ipsec_control 
       7        0       66     8192     2048 com.apple.netsrc 
       8       18        3     8192     2048 com.apple.network.statistics 
       9        1        0     8192     2048 com.apple.network.advisory 
       a        1        0    65536    65536 com.apple.net.rvi_control 
       b        1        1    16384     2048 com.apple.nke.sockwall 
       c        4        0    65536     2048 com.apple.spmi.nfc 
Active kernel event sockets
Proto Recv-Q Send-Q vendor  class  subcl
kevt       0      0      1      1      9
kevt       0      0      1      1     10
kevt       0      0   1001      5     11
kevt       0      0      1      1      9
kevt       0      0      1      1      2
kevt       0      0      1      1      9
kevt       0      0      1      6      1
kevt       0      0      1      1      6
kevt       0      0      1      1      1
kevt       0      0      1      1      7
kevt       0      0      1      1      1
kevt       0      0      1      1      2
kevt       0      0      1      1      2
kevt       0      0      1      1      2
kevt       0      0      1      1      0
kevt       0      0      1      3      3
Active kernel control sockets
Proto Recv-Q Send-Q   unit     id name
kctl       0      0      1      2 com.apple.flow-divert
kctl       0      0      1      3 com.apple.net.netagent
kctl       0      0      2      3 com.apple.net.netagent
kctl       0      0      3      3 com.apple.net.netagent
kctl       0      0      4      3 com.apple.net.netagent
kctl       0      0      5      3 com.apple.net.netagent
kctl       0      0      6      3 com.apple.net.netagent
kctl       0      0      7      3 com.apple.net.netagent
kctl       0      0      8      3 com.apple.net.netagent
kctl       0      0      9      3 com.apple.net.netagent
kctl       0      0     10      3 com.apple.net.netagent
kctl       0      0     11      3 com.apple.net.netagent
kctl       0      0     12      3 com.apple.net.netagent
kctl       0      0     13      3 com.apple.net.netagent
kctl       0      0     14      3 com.apple.net.netagent
kctl       0      0     15      3 com.apple.net.netagent
kctl       0      0     16      3 com.apple.net.netagent
kctl       0      0     17      3 com.apple.net.netagent
kctl       0      0     18      3 com.apple.net.netagent
kctl

I don't have any baseline to compare this to, hence I am hoping someone can shed some insight. Most have not been much help on answering this although on unauthoritative source posed the question of boot malware. But that is impossible.

Answer 1

Is it normal behavior to have around 400 streams upon no software installation above and beyond the OS?

I would say it's normal behavior.

You're on macOS, and that has a lot of software that is already part of the OS. It is not a monolithic system like pre-Unix Mac OS used to be – it's built out of many smaller components that need to communicate with each other, using some IPC mechanism or another. Just the graphical interface (desktop environment) alone may contribute to a good chunk of that.

If you were to compare it with Linux, for example, it would be as if you installed not just "the OS" but also the entirety of GNOME or KDE, in which e.g. the desktop is one process, the taskbar [main menu bar] is another process, the "Wi-Fi status" widget is a third process, each of them needing to communicate with the graphics display server (fourth process), maybe the sound server or the network management server (fifth, etc), the DNS resolver service (…), and so on. Not all of it goes through Unix sockets – I believe macOS uses Mach IPC for a lot of things – but even then, it will add up.

Keep in mind that client connections also are sockets – and a "stream" connection produces one on each end. If a single service is listening on a single "Unix socket" as you think of it, but has 20 clients connected, that's actually 21 or even 41 (1 + 2×20) sockets total. (The same also goes for TCP and any other kind of socket, including the truly-macOS-specific types.)

(As an example, my GNOME desktop on Linux, running two apps – a web browser and a terminal app – has ~1200 Unix sockets and quite the amount of background processes that each do very small things. (The sheer amount of things running underneath is sometimes uncomfortable but at least 80% of them I can describe the exact purpose.

This is in contrast to Windows, which is also not as monolithic as it used to be, but – for example – its Explorer.exe used to be responsible for maybe 30 different things all in a single process.

The IPC model on Windows is also a bit different; it has named pipes that are a near-equivalent of Unix sockets, but the big difference is that because they're not actual sockets, they won't show up in netstat; you have to use a different tool such as WinObj to see named pipes… and there's just as many of them.)