Network X-Ray > Documentation > Main Window

Overview

The main X-Ray window has three main sections: toolbar, flow list, and details section.

Toolbar

The “Auto scroll” checkbox determines if the flow list automatically scrolls to a newly added flow. Generally keep this box checked when watching what your Mac is doing on the network. If you see an entry of interest or want to browse recently added flows, uncheck this box. Unchecking “Auto scroll” will prevent the flow list from scrolling out from under you as you try to select a flow.

The “Blank line” button lets you insert a blank line into the flow list. This can be helpful when you want to investigate just the flows associated with some specific activity. For example, when you go to a web site, you can insert a blank line just before you go to the site and then just after you go to the web site. The blank lines make it easier when browsing the list to identify the flows most likely associated with the web site.

The “Clear Table” button clears the flow list.

Flow list

The center of the window shows each identified. A flow is a program, protocol, address, port, and web address. If multiple connections or web queries are made using the same flow information, the “Count” field increases. More information about a flow is shown below.

Double clicking on a flow entry will create a new Flow Details window containing the details about the flow. This is often useful if you want to remember the information about one flow but continue browsing other flows.

Details section

The section at the bottom of the window provides additional details about a selected flow. The information here is largely the same as shown in a Flow Details window.

Flow list groupings

Process group

The Process ID (PID) and Program represent the process on your Mac that initiated a connection. If you have not installed the NetSQ Endpoint agent, then most of the programs will not be identified.

Connection group

The Protocol (TCP or UDP), IP address, and port represent the standard TCP/IP connection destination.

IP addresses can be IPv4 (e.g., 23.214.80.130) or IPv6 (e.g., 2607:f8b0:400a:800::2005).

URL

The Web column represents the destination host identified in a URL. URL information is only available if the program uses Apple’s web connection library. Many programs do (e.g., Safari, News, and Google’s software update & kfetch programs), but some do no (e.g., Google Chrome browser).

DNS group

The “Query” and “Resolved” columns represent information about the destination IP address extracted from DNS messages. The query column tells you the last DNS query that resolved to the IP address, while the resolved column tells you the last domain name that resolved to the IP address.

This information can be helpful, especially when there is no Web URL data. However, DNS and web services are very complex, so this information should just be considered a guide and not an absolute answer. For example, one query name can resolve to many different IP addresses. One IP address can be associated with many web names. DNS replies often have long chains of redirections. And so on. So, useful, “yes”, guaranteed to be correct, “no.”

Count

If there are multiple connections or web queries by the same process to the same destination, the count field will be incremented.