What the Bleep is my Mac doing?

In my new office setup my network router is now within eyesight of my desk, and even when I just have my iMac running, I can see the lights on the router constantly flickering, including the incoming and outgoing traffic lights. When I see this, I wonder, "What the Bleep is my Mac doing?" What is it downloading, or uploading?

I started to think about a series of scripts I could write to figure this out, including running the ps, netstat, and lsof commands frequently to give me some idea of what this network traffic is all about, but I knew the information I gathered that way would always what was happening, and because the netstat and lsof commands can also hang for a little while, I knew I'd also miss some port connections and incoming and outgoing network traffic in between runs of the commands.

So, rather than waste time writing these scripts, I dug around the internet for a while and finally found a tool I like, a Mac software program named Little Snitch.

Little Snitch

Little Snitch analyzes outgoing and incoming Mac network traffic on the fly, which seems to be what I really wanted to know: Why are those traffic lights on my router blinking all the time? Here's a description of Little Snitch from their website:

Little Snitch informs you whenever a program attempts to establish an outgoing Internet connection. You can then choose to allow or deny this connection, or define a rule how to handle similar, future connection attempts. This reliably prevents private data from being sent out without your knowledge. Little Snitch runs inconspicuously in the background and it can also detect network related activity of viruses, trojans and other malware.

Watching your Mac network traffic

Little Snitch does some pretty low-level networking work, so I wasn't surprised when it said I'd have to reboot my Mac during the installation process. After the installation I ran Little Snitch for several hours, and so far it's pretty addictive. I've started all sorts of applications, including Chrome, Firefox, iTunes, Eclipse, and many others, and it's interesting to see what they all do. Here's just a short list of network traffic I've seen:

  • Most applications "phone home" when you start them, presumably looking for updates.
  • Web applications like Gmail constantly put out little pings, and also put out more traffic when their tab gains focus.
  • The Mac Dropbox client is constantly making connection attempts.
  • The GoogleUpdater fires up from time to time.
  • Several other processes send out network traffic using Mac processes like smblookup, dbfseventsd, mds, and a big one, mDNSResponder.
  • iTunes spawns off an amazing number of connections, including connections to a website named edgesuite.net, which as it turns out, is part of the Akamai service. (It still freaks me out that iTunes connects to a domain named comments.wired.com.edgesuite.net; what does iTunes have to do with wired.com?)
  • I've seen my iPhone call back to my iMac. That's when I realized I hadn't even considered my iPhone to be another possible cause of those network router/firewall lights lighting up.

I'm not sure I'd want to see this all the time, but in the short term it has been funny to be working along, when all of a sudden a window like this one pops up telling you that a Google Update program is trying to access the internet:

Little Snitch window - 1

I'll say this about Little Snitch -- if you want to see the network traffic going in and out of your Mac, it does what it says. Watching the lights in the Little Snitch monitor window is addictive; even as I write this article, the monitor window keeps lighting up, and I keep looking over there to see what apps or processes are hitting the network. Here's what the monitor window looks like (if you elect to leave it open):

Little Snitch window - 2

What the Bleep is my Mac doing - the results

Getting back to why I started this all ... thanks to Little Snitch, I can say that in the end it looks like all the traffic that is going out of my Mac is "normal", but it is very interesting to see everything going in and out.

Little Snitch price

Little Snitch is currently priced at $29.95. While I like it so far, I'm not sure it's worth this price. It seems very nice to run once for an initial extended length of time like this, but will I still want it running tomorrow?

In an interesting strategy, Little Snitch times out after three hours, but then you can manually start it running again, and apparently you can do this forever. I'd rather have something like a three-day trial period where the software expires after that, but this is an interesting approach.

Unfortunately I think $29.95 price tag is too high ... if it was priced much lower I'd probably buy it right now ... at $9.95 I'd definitely buy it, and at $14.95 I might buy it ... but at $29.95 I'll just think, well, that was fun and informative, but it's time to get back to work, and I'll uninstall it and move on.

As one last note on the pricing, I was hoping for a lot of relief if I bought some sort of "family pack" of Little Snitch licenses, but five licenses are still over $100, and at this point that seems too high for a program I'm not sure that I'll keep.

In summary, if you want to learn what your Mac is doing, particularly when it comes to incoming and outgoing network traffic, I do recommend taking Little Snitch out for a test run. You'll be amazed at what your applications are doing without your knowledge.