With all applications closed, tcpdump reveals that my Mac is sending packets to a handful of IPs sporadically. They're are bursts of packets with no data payload and with unusual TCP sequence numbers (like a covert channel). Is there a way to determine which process is originating these packets from either the command line or programmatically?
Note: I have used ipfw to egress filter the destination IPs, so I am not worried about data exfiltration.
I had the same question, with one exception - my TCP traffic was on lo0 and it was not established, but some process was trying to connect to localhost and some port. My task was to identify who is trying to connect. Little Snitch was useless at that point.
But I found that nettop is pretty helpful. I found process in its output constantly changing TCP connection states SynSent/Fin/etc and it was what I was looking for.