Skip to main content
Protect My Mac — FreeNo credit card required
Guides8 min read

How to Find Out Which Apps Are Using the Internet on Your Mac

Hassanain

Your Mac is constantly talking to the internet, even when you think it's just sitting there idle. Apps are checking for updates, syncing data, sending telemetry, and sometimes doing things you didn't explicitly ask for.

I always tell people: before you install any security tool, learn to use Activity Monitor. It won't catch everything, but it teaches you what "normal" looks like on your machine — and that's half the battle. When I was testing CoreLock's process scanner, I learned more about macOS internals in three months than I did in years of using a Mac. The system is way more complex under the hood than most people realize.

Here's how to find out exactly which apps are using the internet on your Mac, using both built-in tools and some third-party options that'll give you a much clearer picture.

Activity Monitor's Network Tab: Your First Stop

Activity Monitor is right there in /Applications/Utilities/Activity Monitor.app, and it's honestly the easiest place to start. Open it up and click the Network tab at the top.

You'll see a list of every process currently sending or receiving data, along with how much data they're moving. The columns show "Sent Bytes" and "Rcvd Bytes" — that's data going out from your Mac and data coming in.

What you're looking for here are processes that are moving significant amounts of data when you're not actively using them. Chrome sitting at 50MB sent when you haven't touched it in an hour? That's worth investigating. An app you've never heard of that's consistently at the top of the list? Definitely suspicious.

The thing is, Activity Monitor only shows you current network activity. If an app was chatty five minutes ago but isn't doing anything right now, you won't see it. This is where it gets interesting — you need to catch apps in the act.

Using nettop to See Real-Time Network Activity

The terminal isn't scary once you get past the initial learning curve. Open Terminal (it's in /Applications/Utilities/Terminal.app) and run this command:

nettop -P

The -P flag shows you per-process network usage. You'll get a constantly updating view of which processes are using your network connection right now. It looks something like this:

nettop: listing processes by network usage
    PID COMMAND      SENT      RCVD      
   1234 Chrome       2.5MB     15.2MB    
   5678 Mail         156KB     892KB     
   9012 Spotify      45KB      1.2MB

Press q to quit when you're done watching. This is way more detailed than Activity Monitor and updates in real-time, so you can see exactly what's happening as it happens.

I wrote my first security script in about 20 minutes using data from nettop, and it caught something that a paid antivirus missed completely. The terminal gives you access to information that GUI tools sometimes hide or simplify.

Finding Which Apps Are Connected Right Now with lsof

If you want to see which apps have active network connections — not just data transfer, but actual open connections to remote servers — use lsof:

lsof -i

This shows every open internet connection on your Mac. You'll see output like:

COMMAND    PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
Chrome    1234   hassanain   45u  IPv4 0x12345      0t0  TCP 192.168.1.100:54321->server.example.com:443 (ESTABLISHED)
Mail      5678   hassanain   12u  IPv4 0x67890      0t0  TCP 192.168.1.100:54322->mail.icloud.com:993 (ESTABLISHED)

The important parts: COMMAND (the app), PID (process ID), and NAME (what server it's connected to). If you see connections to domains you don't recognize, that's your cue to dig deeper.

You can also filter this by specific ports. Want to see what's using HTTPS connections?

lsof -i :443

Or check for any suspicious connections on non-standard ports:

lsof -i :8080

Understanding What's Normal vs. Suspicious

Here's where experience matters. Some network activity is completely normal and expected:

Apple's own processes connect to apple.com, icloud.com, mzstatic.com (App Store), and push.apple.com (push notifications). You'll also see connections to ocsp.apple.com for certificate validation and configuration.apple.com for system updates.

Browsers like Chrome and Safari constantly maintain connections to Google's servers, CDNs, and whatever websites you have open. Even when you close all tabs, they might keep some connections alive for performance.

Apps like Dropbox, OneDrive, and Google Drive will always show network activity — that's literally their job.

What should make you suspicious? Apps you don't remember installing that are consistently using network resources. Processes with generic names like "agent" or "daemon" connecting to random IP addresses instead of recognizable domains. Any app using way more bandwidth than it should need for its function.

Little Snitch: The Network Activity Firewall

If you want to get serious about monitoring network activity, Little Snitch is probably the gold standard on Mac. It's not free (costs around $60), but it shows you every single network connection attempt in real-time and lets you block specific apps or connections.

When you first install Little Snitch, it'll overwhelm you with popup notifications for every connection. That's actually the point — it's showing you just how chatty your Mac really is. After a few days of setting up rules, you'll have a much clearer picture of what each app is trying to do online.

The thing about Little Snitch is that it operates at the kernel level, so it catches everything. Even apps trying to be sneaky can't hide from it.

Lulu: The Free Alternative

If you don't want to spend money on Little Snitch, Lulu is a free, open-source firewall that does similar monitoring. It's created by Objective-See, the same security researcher who makes KnockKnock and other Mac security tools.

Lulu shows you outgoing connections and lets you create rules to block them. It's not quite as polished as Little Snitch, but it's completely free and does the job for basic monitoring.

You can download it from objective-see.com/products/lulu.html. The interface is simpler than Little Snitch, which honestly might be a good thing if you just want to see what's connecting without getting overwhelmed.

Checking Network Usage by App in System Settings

macOS also gives you a basic view of network usage in System Settings. Go to System Settings > Network > Wi-Fi (or Ethernet) > Advanced > Proxies, then click on the "Data Usage" tab if you're on Sequoia or later.

This shows you which apps have used the most data over different time periods, but it's pretty basic compared to the other methods. It's useful for seeing long-term patterns — like if an app you barely use has somehow consumed gigabytes of data — but not for real-time monitoring.

What to Do When You Find Something Suspicious

Let's say you've found an app that's using more network resources than it should, or connecting to servers you don't recognize. How to find hidden apps on Mac can help you track down exactly what's running on your system.

First, don't panic and start killing processes randomly. Note down the process name, PID, and what servers it's connecting to. Then:

Search for the process name online. Many legitimate processes have obscure names — nsurlsessiond handles network requests for other apps, cloudd manages iCloud syncing, trustd handles certificate validation.

Check the app's location using Activity Monitor. Right-click on the process and select "Open Files and Ports" to see what files it has open, or use:

lsof -p [PID]

Replace [PID] with the actual process ID number.

If you're still suspicious, you can temporarily block the app's network access using Little Snitch or Lulu to see what breaks. If nothing important stops working, that's a good sign the network activity wasn't necessary.

Monitoring Network Activity Over Time

One limitation of all these tools is that they mostly show you what's happening right now. If you want to track network usage patterns over time, you'll need to get a bit more creative.

You can use nettop to log network activity to a file:

nettop -P -l 1 -t wifi >> ~/network_log.txt

This runs nettop once every second and appends the output to a file in your home directory. Let it run for a few hours or overnight, then analyze the log to see which apps are most active when you're not using your Mac.

To be fair, this is probably overkill for most people. But if you're dealing with a Mac that seems slow or you're worried about data usage on a metered connection, it can be really helpful.

Common Network Hogs and What They're Doing

Some apps are just naturally network-heavy, and that's not necessarily suspicious:

Browsers — Chrome, in particular, can use hundreds of megabytes even when "idle" because of background tabs, extensions, and sync services.

Cloud storage apps — Dropbox, OneDrive, Google Drive are constantly syncing. If you just added a bunch of files, they might transfer gigabytes.

Streaming apps — Spotify, Apple Music, and video apps cache content in the background.

Software updaters — Apps checking for updates, downloading them in the background. Adobe Creative Suite is notorious for this.

System processes — macOS itself downloads security updates, App Store updates, and system data regularly.

The key is learning what normal looks like for your specific Mac and usage patterns. This is actually one of the things we built CoreLock to handle — it learns your system's normal behavior and flags unusual network activity automatically.

When Built-In Tools Aren't Enough

Honestly, there are some things that Activity Monitor and even lsof won't catch. Sophisticated malware can hide network connections or route them through legitimate processes. Some apps use system-level network APIs that don't show up cleanly in process lists.

If you suspect something more serious is going on, our guide on checking for unauthorized network connections covers more advanced techniques. And if you want a comprehensive security scan, what a free Mac security scan actually finds shows you exactly what you can expect from automated tools.

The Bottom Line on Network Monitoring

Learning to monitor network activity on your Mac isn't paranoia — it's basic digital hygiene. Your Mac is constantly communicating with servers around the world, and you should know what those conversations are about.

Start with Activity Monitor's Network tab to get a feel for what's normal. Graduate to nettop and lsof when you want more detail. Consider Little Snitch or Lulu if you want ongoing monitoring and control.

The goal isn't to block everything — it's to understand what's happening so you can make informed decisions. Some network activity is necessary and beneficial. Some isn't. The tools I've shown you will help you tell the difference.

I might be wrong about this, but I think most Mac users would be surprised by how much their computers are talking to the internet without their knowledge. Not all of it is malicious, but all of it is worth understanding. Your Mac's network activity is like a window into what your apps are really doing when you're not looking.

Related Articles

Guides

How to Check Your Mac for Unauthorized Network Connections

8 min read
Guides

How to Find Hidden Apps on Mac That You Didn't Install

10 min read
Guides

How to Protect Your Mac: 12 Steps That Actually Matter in 2026

14 min read

Ready to try CoreLock?

Free to download. No credit card required.

Download CoreLock Free
Back to all posts