How to Monitor Network Traffic On an OS X Mac

nettop is a command-line program that displays updated information about network traffic. In this article we will cover how to run nettop, how to read its output, and how to format that output.

This article is intended for the Mac user who wants to learn more about which applications are accessing the network, what state the network traffic is in, and the amount of consumed resources. The reader can be at a beginning or intermediate level of computer knowledge and skills. The article covers the command-line program nettop, which displays updated information about network traffic. Running the command is easy; however, reading the output needs a little more in-depth explanation. In this article we will cover how to run nettop, how to read its output, and how to format that output for readability.

So let’s run nettop. From the Finder menu, choose Go -> Utilities -> Terminal. After Terminal opens, type nettop on the command line and hit return. If you do this while your computer is connected to the network, Terminal will fill with information about your network sockets.1

(Pressing q quits nettop.)

Now, let’s look closer at one of the entries. If you have Google Chrome open, nettop will show you columnated information similar to the lines below (here we’re presenting just the first few columns):

        interface   state  
Google Chrome.7523              
  tcp4 10.145.45.62:56291<->bibble.babble.com:443   en1   Established  

Here are labels for these entries:

      interface   state  
NetworkApp.processID              
 

transportProtocol

IP_version

localhost:port<->remote_machine:port   networkInterface   connection state  

In line one of the sample entry are nettop's column headings. interface refers to the network interface (lo0 means loopback interface, en0 means wired physical network connection, en1 means wireless; and fw0 means firewire). in this case, the network interface is a WiFi transciever. state refers to the state of the connection between sockets (the state of a server waiting for a connection on a port is LISTEN, the state of a connection recently closed is TimeWait; and in this sample entry, Established means the connection is active).

Line two begins with the name of the network application (Google Chrome), separated by a period from the process ID (which in the example is 7523).2

Line three shows one network socket listed for the application. tcp4 means “Transmission Control Protocol/Internet Protocol version 4”.3, 4That is followed by the localhost’s IP address [colon] port number <-> remote host’s IP address [colon] port number5, the network interface (which in the example is en1), and a connection state of Established.

You might also notice many lines that use the Transport Protocol identifier udp4. Like tcp4, udp4 transmits datagrams, but the connection is one-way. tcp4 guarantees that both ends of a transmission are aware of one another. udp4 just sends data without a confirmation of its receipt.

You probably noticed many socket entries that looked like these:

             
airportd.56              
 

udp4

*:*<->*:*

         
 

udp4

*:*<->*:*

         

The fields for localhost:port and remote_host:port have asterisks in them. The asterisks are wildcard characters. This means that these sockets are open. The operating system creates these open sockets as placeholders of sorts, so that it can respond faster to incoming data. (Without an open socket ready to receive incoming data, incoming data would have to trigger the creation of a socket; and that causes delay.)

The last example of nettop entries I'd like to consider is this one:

             

ntpd.283

             
  udp4 10.145.45.62:123<->*:*          

In this socket the localhost has an IPv4 address with a port number 123, which is the port number for NTP, or network time protocol, which is used to synchronize computers on the Internet. The wildcards for the remote_host means the ntp server on the localhost is listening for any address on any port.

The next columns in entries for the network apps and their sockets show bytes in and bytes out (since the app was launched). Returning to our example network app, Google Chrome, nettop might display something like this:

        interface   state   bytes in   bytes out
Google Chrome.7523               11 MiB   1754 KiB
  tcp4 10.145.45.62:54027<->bibble.babble.com:80   en1   Established   27 KiB   62 KiB
  tcp4 10.145.45.62:54009<->www2.twitter.com:443   en1   Established   434 KiB   6954 B

bytes in and bytes out for a socket shows how much traffic has come in and gone out for that socket, while bytes in and bytes out for the network app shows the total traffic for all the sockets belonging to that app.

While nettop shows more columns than these, these columns cover the basics.

In the final part of this how-to, we will look briefly at formatting options. While nettop is running, pressing p renders the traffic numbers as bytes or in human-readable formats (KiB for kilobytes and MiB for megabytes). Pressing c collapses the display, showing only the network apps (and not their sockets), while pressing e expands the display to show sockets. Pressing q quits nettop.

You may want to see only tcp traffic. In this case, on the command line type nettop -m tcp. If you want to see the routing table6 instead of the sockets, on the command line type nettop -m route.

If you are interested in learning more about nettop, please refer to the man page – on the command line type man nettop. If you are interested in learning more about the computer networking concepts mentioned in this article, please google the concept or refer to the Wikipedia articles on them. This Wikipedia pages for this article's key terms are included as hyperlinks in the endnotes below.

_________________________________________________________

1 A network socket is one end-point in a two-way communication between two programs on a network; for example, between a web server and your web browser.

https://en.wikipedia.org/wiki/Network_socket

2 Every process has a unique identifier called “the process identifier” or PID.

https://en.wikipedia.org/wiki/Process_identifier

3 TCP is a transport protocol that was designed to ensure the integrity of information sent over the network. It provides for error-checking of data packets, as well as their completeness and the correct order of their assembly at the receiving computer. Web traffic and file downloads use TCP. Information that doesn't require such integrity is usually sent by another transport protocol called UDP. Streaming videos and music use UDP.

https://en.wikipedia.org/wiki/Transport_layer

4 Internet Protocol (IP) is the principal communications protocol used on the Internet. The numerical labels assigned to devices on the Internet for identification and addressing are called IP addresses. In the sample socket entry, 10.145.45.62 is a version 4 IP address. v4 IP addresses are the addresses that most people are familiar with. v6 IP addresses are newer, allow for a much greater range of addresses, and follow a different format (e.g., a v6 IP address looks like this: fe80::5921:c8ed:428e:a3aa).

https://en.wikipedia.org/wiki/Internet_Protocol

5 Ports are communication endpoints in a computer's OS. They are identified with the IP address of the host and a protocol type (often the transport protocols TCP and UDP). Ports enable programs to share the same physical connection to the Internet. Well-known port numbers and their services include 80 for http, 443 for https, 53 for DNS, and 22 for SSH.

https://en.wikipedia.org/wiki/Port_(computer_networking)

6 The routing table shows the routes of the traffic between your network apps and their network destinations.

https://en.wikipedia.org/wiki/Routing_table

Written by CNS OIT staff
Questions or comments? The best and easiest way to contact us is via the CNS Help Desk form.

See also: Networking, OS X