Skip to main content
Protect My Mac — FreeNo credit card required
Guides8 min read

How to Check Your Mac for Unauthorized Network Connections

Hassanain

Your Mac is making network connections you don't know about. Right now. Some are macOS system services phoning home to Apple. Some are apps syncing data in the background. And some might be something you never authorized.

I always tell people: before you install any security tool, learn to see what your Mac is actually doing on the network. Once you understand what normal traffic looks like, spotting something abnormal becomes almost instinctive. This guide walks you through three practical methods to audit your Mac's network connections, what to look for, and how to investigate anything suspicious.

What "Normal" Network Activity Looks Like

Before you start hunting for threats, you need to know what legitimate traffic looks like. Otherwise, you will scare yourself into thinking every connection is suspicious.

Your Mac runs dozens of system services that make outbound connections as part of normal operation. Here are the most common ones:

  • cloudd handles iCloud syncing for files, photos, and keychain data. It connects to icloud.com and icloud-content.com frequently.
  • trustd performs OCSP checks, which verify that the code signing certificates on your software are still valid. It connects to ocsp.apple.com regularly.
  • mds and mds_stores power Spotlight search indexing. They mostly work locally but occasionally reach out for suggestions.
  • nsurlsessiond manages background downloads for the system and apps. Software updates, App Store content, and iCloud data all flow through this process.
  • sharingd manages AirDrop, Handoff, and Universal Clipboard. It broadcasts on your local network even when you are not actively sharing anything.

Common Apple domains you will see include apple.com, icloud.com, icloud-content.com, cdn-apple.com, and mzstatic.com. If your connections are going to these places, that is Apple's infrastructure doing its job.

Then there are your apps. Browsers are the noisiest — Chrome spawns a separate process and network connection for every tab and extension. Slack, Spotify, Dropbox, and most modern apps maintain persistent connections to their servers. This is expected.

The point is not to panic at the volume. The point is to establish a baseline so you can spot the one connection that does not belong.

Method 1: Activity Monitor Network Tab

The simplest approach is built right into macOS. Open Activity Monitor (Applications > Utilities > Activity Monitor) and click the Network tab.

You will see every process that has sent or received data over the network. The columns that matter most:

  • Sent Bytes and Rcvd Bytes: How much data the process has transferred since it started. Click the column header to sort.
  • Sent Packets and Rcvd Packets: Useful for spotting processes that make many small connections, which can indicate beaconing behavior.

Sort by Sent Bytes descending. The top entries will usually be your browser, iCloud services, and any streaming apps. That is normal. What you are looking for is a process you do not recognize that is sending a significant amount of data.

Double-click any process to see more details. The Open Files and Ports tab shows you the file descriptors and network sockets the process has open. This is useful, but limited. For real visibility, you need Terminal.

Method 2: Terminal Commands

Terminal gives you far more detail than Activity Monitor. Here are three commands I use regularly, each with a different strength.

See all active connections

lsof -i -P | grep ESTABLISHED

This is my go-to command. It lists every process with an active, established network connection. The output looks something like this:

Google    1234 hassanain  45u  IPv4 0x1a2b3c  TCP 192.168.1.5:54321->142.250.80.46:443 (ESTABLISHED)
cloudd    5678 hassanain  12u  IPv4 0x4d5e6f  TCP 192.168.1.5:54987->17.57.144.20:443 (ESTABLISHED)
Spotify   9012 hassanain  22u  IPv4 0x7g8h9i  TCP 192.168.1.5:55123->35.186.224.45:443 (ESTABLISHED)

Here is how to read it: the first column is the process name, the second is the PID (process ID), then the user, then the connection details. The part after the arrow (->) is the remote server — the IP address and port your Mac is talking to. Port 443 means HTTPS, which is standard encrypted web traffic.

If you want to see all connections, not just established ones, drop the grep:

lsof -i -P

This shows LISTEN states too, which are ports your Mac has open and waiting for incoming connections.

Alternative: netstat

netstat -an | grep ESTABLISHED

This shows a similar view but without process names — just IP addresses and ports. It is faster to run and useful when you want a quick count of how many connections are active. I use lsof when I need to know which process owns a connection and netstat when I just want the big picture.

Real-time monitoring

nettop -m tcp

This is the most powerful built-in tool. It gives you a real-time, continuously updating view of every TCP connection on your Mac, organized by process. You can see bytes in and out, connection state, and remote addresses, all updating live.

Press d to toggle the display mode, p to sort by process, and q to quit. Spend five minutes watching nettop while you use your Mac normally. You will quickly get a sense of which processes are chatty and which are quiet. If something new shows up that you did not trigger, that is worth investigating.

Method 3: Investigating a Suspicious Connection

So you spotted a connection that looks off — maybe a process you do not recognize connecting to an IP address you have never seen. Here is how to investigate it step by step.

Step 1: Get the process details

Take the PID from the lsof output and look up the process:

ps aux | grep [PID]

Replace [PID] with the actual number. This shows you the full command that launched the process, including its file path and any arguments. A legitimate app will have a path like /Applications/AppName.app/Contents/MacOS/AppName. Something running from /tmp, /var/folders, or a user's Downloads folder is more concerning.

Step 2: Find the executable

lsof -p [PID] | grep txt

The lines marked txt show the executable file and shared libraries the process has loaded. The first txt entry is the main binary.

Step 3: Check the code signature

codesign -dv --verbose=4 /path/to/binary

This tells you who signed the software and whether the signature is valid. You want to see a recognized developer name and Authority=Apple Root CA somewhere in the chain. If you see "code object is not signed at all," that is a significant red flag on a modern Mac.

Step 4: Look up the remote IP

nslookup [IP]

Replace [IP] with the remote address from the lsof output. This performs a reverse DNS lookup and tells you the hostname associated with that IP. If it resolves to something like ec2-34-209-xxx.us-west-2.compute.amazonaws.com, you know it is an AWS server — could be legitimate, could be someone's command-and-control box. If it resolves to a domain you recognize (google.com, apple.com, cloudflare.com), you can relax.

For IPs that do not resolve to anything meaningful, search them on ipinfo.io or abuseipdb.com to see who owns the address and whether it has been flagged as malicious.

What Suspicious Connections Look Like

After monitoring dozens of Macs, here are the patterns that consistently indicate something is wrong:

Connections to raw IP addresses. Legitimate software almost always connects to domain names, not bare IPs. If a process is connecting to an IP address with no associated hostname, that is unusual.

Unknown processes on non-standard ports. Web traffic uses ports 80 and 443. DNS uses 53. If a process you do not recognize is connecting on port 8443, 4444, 8080, or some other non-standard port, investigate it.

Large amounts of data being sent. Most apps receive far more data than they send. If a process is uploading significant data to an unknown server, that could indicate data exfiltration. Check the "Sent Bytes" column in Activity Monitor or watch the upload numbers in nettop.

Connections that persist after you close everything. Close all your apps and browser windows. Wait a minute. Then run lsof -i -P | grep ESTABLISHED. You will still see system services (cloudd, trustd, nsurlsessiond), but you should not see unfamiliar processes maintaining connections.

Processes you did not start. If a process name means nothing to you and it is making network connections, that is worth a full investigation using the steps above. Not everything unknown is malicious — macOS has plenty of obscure helper processes — but you should always be able to trace a connection back to something you installed or something Apple ships. Here is our full guide on identifying hidden processes.

Common False Alarms

Before you start worrying, here are some things that look suspicious but are completely normal:

nsurlsessiond transferring large amounts of data. This usually means a software update or iCloud sync is happening. It is Apple's download manager, and large transfers are part of its job.

mDNSResponder making many connections. This handles Bonjour and local network discovery. It is chatty by design, especially on networks with other Apple devices.

trustd connecting to OCSP servers constantly. Every time you launch an app, macOS checks whether its code signing certificate is still valid. That requires a network connection to Apple's OCSP responder. Completely normal.

Your browser showing dozens of connections. Each tab, each extension, each embedded iframe can be its own connection. Twenty Chrome Helper processes with open network sockets is normal, not a sign of compromise.

CommCenter and symptomsd making connections. These handle cellular and network diagnostics. If you have an iPhone nearby with Handoff enabled, you will see these regularly.

If you are still unsure whether something is legitimate, search the process name along with "macOS" online. Between Apple's documentation and community forums, most system processes are well documented. We also maintain a process directory if you want quick answers.

How CoreLock Simplifies This

Everything I described above works. But it is manual, it is time-consuming, and it requires you to know which commands to run and how to interpret the output. Most people will do it once, find it interesting, and never do it again.

That is why I built network monitoring into CoreLock. When you run a scan, CoreLock maps every outbound connection to the process that initiated it. It cross-references remote IPs against threat intelligence databases, flags connections to known malicious infrastructure, and identifies anomalies like unusual data volumes or connections on non-standard ports.

More importantly, it explains what is normal. Instead of seeing "nsurlsessiond -> 17.57.144.20:443" and wondering if that is okay, CoreLock tells you that is an Apple CDN server handling a software update. The stuff that matters gets flagged. The stuff that does not gets explained. No Terminal commands required.

If you are the kind of person who wants to understand your Mac's network activity without memorizing lsof flags, download CoreLock for free and run a scan. The free tier includes 3 scans per day, which is more than enough to establish your baseline and catch anything that changes.

Your Mac's network is not a black box. Every connection can be traced, every process can be identified, and every byte of data can be accounted for. The tools are already on your machine. You just need to know where to look.

Related Articles

Privacy

Is Your Mac Sending Data Without Your Permission?

8 min read
Security Tips

The Hidden Processes Running on Your Mac (And What They Do)

7 min read
Security Tips

5 Signs Your Mac Has Been Compromised

6 min read

Ready to try CoreLock?

Free to download. No credit card required.

Download CoreLock Free
Back to all posts