I found that there are 5 utun interfaces on my mac when I ran the ifconfig command in the terminal.But why?
Some relevant information I saw:
Utun is a virtual interface created by an application on macOS endpoints to interact with the system
Utun is a virtual interface created by an application on macOS endpoints to interact with the system. utun is a virtual network interface used to establish secure tunneling connections and is widely used in applications such as VPNs. The numbers indicate the number of the different utun interfaces created.
Utun is a user-level tunnel interface. These interfaces are typically used to create VPN connections or other types of network tunnels.
(References:https://discussions.apple.com/thread/255645034, https://blog.csdn.net/wj617906617/article/details/143323145, https://blog.csdn.net/Soul_Programmer_Swh/article/details/132183326)
Excerpt:
utun4: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
inet6 fe80::9d4d:9dda:8bb0:7aec%utun4 prefixlen 64 scopeid 0x13
nd6 options=201<PERFORMNUD,DAD>The inet6 fe80::9d4d:9dda:8bb0:7aec%utun4 prefixlen 64 scopeid 0x13 above is the IPv6 link-local address of this interface, which is used to communicate in the local network. nd6 options=201<PERFORMNUD,DAD> are some of the options for IPv6. (https://blog.csdn.net/wj617906617/article/details/143323145)
Then I started my analysis with the utun4 interface. Huorong Sword showed identityservicesd.app is using the ipv6 link-local address above.
Next, I blocked identityservicesd in LuLu. After running ifconfig,two new utun interfaces appeared: utun6 and utun7. I then ran log show --last 2h --predicate 'eventMessage contains "utun"' --info :
identityservicesd: (NetworkExtension) [com.apple.networkextension:] Created a new NEVirtualInterface "utun6" (85B12F7F-...5-70D277FDE142)This clearly shows that identityservicesd created the utun6 interface.
identityservicesd also created utun7 interface
identityservicesd: (NetworkExtension) [com.apple.networkextension:] Created a new NEVirtualInterface "utun7" (D1B03D14-...595BB988)Since I blocked its outgoing connection, the error messages keep appearing repeatedly in the logs every few seconds.
identityservicesd: [com.apple.Transport:UTun-oversized]
legacy control channel connect ready {socket:9},
socket error: 9 (Bad file descriptor)OR, the easier method:run sudo lsof | grep utun,I can also see:identitys.The above method is more about finding out who created the new interfaces
Therefore, we can confirm that it is indeed identityservicesd creating and using some of the utun interfaces, eliminating the risk of malware. However, my remaining question is: What are the other utun interfaces used for, and why are they being created? Because most sources indicate that utun interfaces are related to VPN services.
More references are as follows:
https://cloud.tencent.com/developer/ask/sof/104984656
https://apple.stackexchange.com/questions/427100/how-to-find-out-which-applications-are-creating-utun-interfaces
(Cover photo: Lake Toyako, Toyako-machi, Hokkaido, Japan)
Except for special instructions (such as sources attached for reprints or references), all article is original. For any reproduction of the text, the source must be indicated. The images in the article, unless otherwise specified, are created or photographed by the author, and the copyright belongs to the author. Unauthorized reproduction of images is strictly prohibited, and legal action will be taken for any serious infringement.
>﹏<