I tried a Chrome extension I ran into on reddit. It runs mitm proxy behind the screen. Then at an occasion, I had to run a proxy for my work purposes, but I found port 8080 is already taken. It turned out tamper keep mitm proxy running even when it’s disabled (not the extension but through the switch given in tamper). This is how I found out which application was using port 8080.

Use lsof

lsof can be used to check which process owns a particular port

lsof -S -i <protocol>:<port> tells which process has the port assigned to it

For example,For example,

lsof -i TCP:8080 -S

Running above command shows output like this:

Python 15125 channi 3u IPv4 0xb1b0493c89f7e78f 0t0 TCP *:http-alt (LISTEN)

Now in next step we can use ps to identify how the Python process with pid 15125 was started

Use ps

ps can be used to know the command with which the process was executed

From the lsof command we got the pid of the process which owns port 8080. Now we want to know how that process was started so we can have a better idea about the intention of the process.

On Mac OS, we use ps -A | grep 15125 for getting that, same command on Linux is ps -aux | grep 15125 . 15125 is the pid of the process we got in previous step using lsof

Using ps -A | grep 15125 give us this output on OS X:

1 2 15125 ?? 0:59.99 /usr/local/Cellar/python/2.7.8_1/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python /usr/local/bin/tamper.py chrome-extension://mabhojhgigkmnkppkncbkblecnnanfmd/ 25777 ttys002 0:00.00 grep 15125

So now we see the process is started by tamper.py python script which is using Tamper chrome extension.

Tamper is a chrome extension that uses mitm proxy to allow us tamper HTTP(S) requests. So this is not apparently a security breach.