Network X-Ray Flow Details Window

Network X-Ray > Documentation > Flow Details Window

Overview

The Flow Details window provides details about a given network flow. Double clicking on any flow item in Network X-Ray’s main window brings up a Flow Details window. You can bring up as many Flow Details windows as you want.

The Flow Details window is broken down into six areas: process that initiated the connection, process that created the process that initiated the connection, basic network connection information, information about the destination IP address, when the network activity occurred, and information about any URLs associated with the flow.

Process that initiated the connection

This grouping provides details about the process that initiated the connection. There is always a process ID (PID). If you have also installed the additional endpoint daemon, the program name, full path to the program, signing ID associated with the program, team ID that signed the program (usually filled in for 3rd-party programs but not Apple programs), and the date the program was created.

Parent of the process that initiated the connection

This grouping is essentially identical to the previous one but is for the parent process. This is the process that started the process that initiated the connection. Most often this is Apple’s launchd process, but sometimes there can be an interesting chain of processes.

Connection information

This grouping describes the network destination including the protocol (TCP or UDP), destination IP address (an IPv4 or IPv6 address), and a destination port. The local device hash is a placeholder that identifies your Mac for the current run of the Network X-Ray program (it is essentially a random number).

Information about the destination

This grouping provides additional details about the destination. If the URL is available to the sensor, the host portion of the address is shown. The last DNS query that resolved to the destination IP address is shown. The last DNS name (often through a series of CNAMEs) that resolved to the IP address. And the organization that controls the IP address (provided by MaxMind).

When the network activity occurred

This group shows the timestamps of the first and last connections or HTTP queries to the same destination. These timestamps are shown in the GMT timezone. Count tells you how many connections or HTTP queries were made to the same destination. If the table was cleared or the connection was removed during automatic pruning, the timestamps and count fields are reset.

URLs sent to the destination

The final section shows up to five URLs your Mac sent to the destination. If the URL includes variable and value pairs, they are shown below each URL. This information can be helpful determining what your system is requesting (e.g., pulling down a JavaScript library from the destination) or what information your system is pushing to the server (e.g., information about your Mac (screen size, GPU, browser window size), the identifier the site uses to track you, etc.).