diff --git a/libmproxy/platform/osx.py b/libmproxy/platform/osx.py
index 1a474e946..dda5d9afc 100644
--- a/libmproxy/platform/osx.py
+++ b/libmproxy/platform/osx.py
@@ -1,16 +1,16 @@
 import subprocess
-import lsof
+import pf
 
 """
     Doing this the "right" way by using DIOCNATLOOK on the pf device turns out
     to be a pain. Apple has made a number of modifications to the data
     structures returned, and compiling userspace tools to test and work with
-    this turns out to be a pain in the ass. Parsing lsof output is short,
+    this turns out to be a pain in the ass. Parsing pfctl output is short,
     simple, and works.
 """
 
 class Resolver:
-    STATECMD = ("sudo", "-n", "/usr/sbin/lsof", "-n", "-P", "-i", "TCP")
+    STATECMD = ("sudo", "-n", "/sbin/pfctl", "-s", "state")
     def __init__(self):
         pass
 
@@ -20,4 +20,4 @@ class Resolver:
             stxt = subprocess.check_output(self.STATECMD, stderr=subprocess.STDOUT)
         except subprocess.CalledProcessError:
             return None
-        return lsof.lookup(peer[0], peer[1], stxt)
+        return pf.lookup(peer[0], peer[1], stxt)
diff --git a/libmproxy/platform/lsof.py b/libmproxy/platform/pf.py
similarity index 68%
rename from libmproxy/platform/lsof.py
rename to libmproxy/platform/pf.py
index 25c0e33f4..062d33113 100644
--- a/libmproxy/platform/lsof.py
+++ b/libmproxy/platform/pf.py
@@ -1,4 +1,3 @@
-import re
 
 def lookup(address, port, s):
     """
@@ -9,9 +8,9 @@ def lookup(address, port, s):
     """
     spec = "%s:%s"%(address, port)
     for i in s.split("\n"):
-        if "ESTABLISHED" in i and spec in i:
-            m = re.match(".* (\S*)->%s" % spec, i)
-            if m:
-                s = m.group(1).split(":")
+        if "ESTABLISHED:ESTABLISHED" in i and spec in i:
+            s = i.split()
+            if len(s) > 4:
+                s = s[4].split(":")
                 if len(s) == 2:
                     return s[0], int(s[1])