ova
Back to blog
·10 min read·productdevbook

How to Audit Your Mac’s Network Activity

A repeatable audit you can run in 20 minutes to know what your Mac is talking to, and decide what should stay.

  • Security
  • Privacy
  • macOS
  • Network monitoring

You set aside twenty minutes once a quarter to audit mac network activity, and the only question is whether you have a process you can actually run, or whether you're going to wing it again with nettop and a notebook. This guide gives you a repeatable 20-minute script: scan, review, hostname check, log retention, action items. Run it the same way every time. Compare to last quarter. Spot drift.

This is how you audit Mac network activity without turning it into a full afternoon.

Why bother — and what you're looking for

The point of the audit isn't paranoia. It's drift. Every macOS install gradually accumulates background services that started talking to the internet at some point and never stopped. A quarterly audit catches:

  • Apps you forgot you installed that are still phoning home daily.
  • Telemetry endpoints that started chattier than they used to be (after an update).
  • Helper processes (Chrome, Slack, Adobe) that quietly upgraded their network footprint.
  • Outbound connections to hostnames you don't recognize.

A 20-minute audit, four times a year, is enough to catch nearly all of it.

What you need before you start

  • A network monitor in your menu bar. ova is what this guide uses. About 3 MB, samples per-app rates at ~1 Hz, folds helper processes under their parent.
  • nettop — built in. No install.
  • Optional: Little Snitch or LuLu for hostname-level visibility. The audit works without them but is sharper with.
  • A note-taking app or plain text file for findings. The audit is only useful if you can compare to last time.

That's it. No extra installs beyond the monitor, no kernel extensions, no system changes.

The 20-minute script to audit mac network activity

Here's the schedule. Stick to the timing — drifting past 30 minutes turns a quarterly habit into "something I'll do when I have time", which means never.

Minutes 0-2: Set the baseline

Quit apps you don't need open. Leave running: your browser, Finder, system services. The goal is to see your "ambient" network usage — what your Mac does when you aren't actively using it.

Open ova from the menu bar. Note the total up/down rate. On an idle Mac, you'd expect a few KB/s for push notification heartbeats, iCloud, and Spotlight. Anything above 100 KB/s sustained while idle is worth looking at.

Minutes 2-7: nettop scan

Open Terminal. Run:

nettop -P -m route -L 5 > ~/Desktop/nettop-$(date +%Y%m%d).txt

-L 5 captures five samples (one per second by default), then exits. The output goes to a dated file on your desktop — you'll keep this for retention later.

While it runs, do nothing. Five seconds, then check the file. You'll see lines like:

Slack.21341    in:1.2KB  out:823B
Google Chrome.41203   in:48KB   out:9KB
WhatsApp.55102 in:512B   out:0B

Skim for anything you don't recognize. Names you can't place are leads.

Minutes 7-12: per-app review in your monitor

Switch to ova. Open the per-app list. Sort by total bytes over the last hour (or the longest window the app shows by default).

For each app in the top 10, ask:

  1. Should this app be on the network at all right now? A music player — yes. A PDF reader — probably no.
  2. Is the volume reasonable? Slack at 30 KB/s sustained is normal. Slack at 3 MB/s sustained is unusual.
  3. Is this app one I installed on purpose, or a leftover? If it's leftover, uninstall.

Helper-process folding matters here. Without it, the top 10 fills up with rows like Google Chrome Helper (Renderer), Slack Helper (GPU), Discord Helper (Plugin). With folding, each of those collapses under the parent app and you can actually read the list.

Helper-process folding
ova groups helper PIDs under their parent so the per-app list reads like applications instead of process trees. The audit goes faster.

Minutes 12-16: hostname check

This is where Little Snitch (or LuLu) earns its place. If you have it installed, open the Network Monitor view and look at hostnames per process for the audit window.

If you don't have a firewall-class tool, you can still do a partial hostname check by tailing the unified log:

log show --predicate 'subsystem == "com.apple.network.connectivity"' --style compact --last 20m | head -200

The output is dense, but searching for connect to or specific app names will surface domain hints.

What you're looking for:

  • Unfamiliar hostnames. Search the domain in a browser. A legit telemetry endpoint usually has a documented purpose.
  • Frequent connections to ad/tracking domains. Common offenders: *.doubleclick.net, *.scorecardresearch.com, *.googletagmanager.com. Browser extensions can help (uBlock Origin), but for native apps, a firewall rule is the answer.
  • Connections to countries you don't expect. Not inherently bad — many CDNs are regional — but worth noting.

Minutes 16-18: log retention

Take the nettop-YYYYMMDD.txt file you generated and move it into a folder, e.g., ~/Documents/network-audits/. Optionally export the per-app summary from ova as a screenshot.

Why retain: your first audit is just a snapshot. Your second one becomes a comparison. By the third, you can spot trends — "Adobe traffic doubled in Q2" or "Spotify went from 200 KB/s to 800 KB/s after the update".

A flat folder of text files and screenshots is plenty. No fancy tooling.

Minutes 18-20: action items

Write down three to five concrete actions. Examples from real audits:

  • "Uninstall MagicScreenshotPro — used twice last year, talks to telemetry every launch."
  • "Block Adobe *.adobe.io in Little Snitch — only need it for license check, which can fail gracefully."
  • "Investigate the 14 MB outbound spike from mds_stores — probably Spotlight reindex, but confirm next audit."
  • "Add Quad9 DNS profile."
  • "Disable analytics in Microsoft Word."

Three to five is the right number. More than that and you won't do them. Fewer and the audit didn't surface anything, which usually means you weren't looking carefully.

Run the audit with a real-time view

ova shows live per-app rates and a scrubable history — local, signed, ~3 MB.

Download for macOS

What to track quarter over quarter

A few things worth comparing to your last audit:

SignalWhy it matters
Idle baseline trafficDrift up means something new is chatty
Top 5 apps by bytes/dayReveals new entrants or growth
Number of distinct hostnamesGoes up = more services contacted
Background helpers runningAdobe / Office often add new ones over updates
Apps with kernel/network extensionsEach one is a trust delegation

You don't need a spreadsheet. A four-line note per audit is enough.

Common findings (and what to do)

"An app I uninstalled is still on the network"

Some apps leave LaunchAgents behind. List them:

ls ~/Library/LaunchAgents/ /Library/LaunchAgents/ /Library/LaunchDaemons/

Anything tied to the uninstalled app — com.example.helper.plist — can be removed. Use launchctl unload first, then delete. Re-audit next quarter to confirm it's gone.

"Activity Monitor shows different numbers than my menu bar tool"

Activity Monitor's Network tab counts since the process started. A menu bar monitor counts in a rolling window. Different lenses on the same kernel data — both honest, just measuring different intervals.

"I see a steady 50 KB/s I can't account for"

Suspect, in order: iCloud sync, Time Machine over network, Spotlight reindex, Backblaze/Carbonite-style backup, Dropbox/Drive sync, an OS update download. nettop -P will name the PID. Most are legitimate. Confirm by quitting the suspected app and watching the rate drop.

Privacy considerations during the audit

If you save logs, those logs contain hostnames and timestamps — sensitive metadata. Store them locally, not in iCloud Drive synced folders, unless you're comfortable with that. Better still, run an audit that stays local end-to-end:

  • Monitor that keeps history on disk (no cloud dashboard).
  • nettop output saved to a local folder.
  • Notes in a local text file, not a cloud-synced doc.

ova fits this profile by design — there's no remote dashboard, no account, no telemetry. The bandwidth history is on your Mac and nowhere else.

The bigger picture: why a monitor pairs with a firewall

The audit produces findings. Some findings are "I should block this." That's where Little Snitch (or LuLu) comes in — set the rule, and re-run the audit next quarter to confirm the rule held.

A common pattern:

  1. Audit identifies chatty Adobe Updater.
  2. Little Snitch rule: deny Adobe Updater outbound.
  3. ova confirms next time you launch Photoshop that updater traffic is now zero.

The monitor and the firewall do different things. You want both for a real audit loop.

Wrapping up

A 20-minute quarterly habit to audit mac network activity catches the drift that turns a clean Mac into a chatty one. The script is: idle baseline, nettop snapshot, per-app review with helper folding, hostname check, log retention, three to five action items. Run it the same way every time. Compare to last time. Act on findings.

Pick a date — last Friday of the quarter, the morning of a long weekend, whatever sticks. Put it in your calendar now. The hardest part of the audit habit is starting; once you have one history file in ~/Documents/network-audits/, you'll want a second one.