Viewing executions

Contents

Viewing executions

To visualize program executions in a graphical way, use the Local activity view. The Local activity view relates all the objects that take part in the execution of a program.

To open the Local activity view:

  1. Execute an investigation based on executions or on any object that takes part in the execution of a program: device, user, application, executable or binary.
  2. From the list of results, click the Local activity button placed at the top of the list.

You can also open the Local activity view from other contexts such as the executions section of the device view. In any case, the Local activity view is a graphical representation of an underlying investigation. When you open the Local activity view from a context other than an investigation, the Finder automatically creates the investigation for you.

Interpreting the Local activity view

The Local activity view arranges objects in three columns, one per class of object that participates in an execution: device, user and binary. The Local activity view considers applications and executables as objects that hold binaries. They can appear in the same column as binaries when these are visually collapsed into groups.

The lines that join the object in the columns can represent the number of executions or the duration of the executions in which the connected objects took part, depending on the type of information that you selected in the Display choice list in the top left corner of the diagram. The thicker the line that links the objects, the higher the number of executions or the longer the duration of the executions that it represents. You can also make the lines display information about network traffic aggregated during an execution using the Display choice list. For detailed information on individual connections, use the Network activity view that is documented in the chapter on Viewing network connections. Alternatively, use the Web activity view, documented in the chapter on Viewing web requests, if you are interested in details about web traffic.

Hovering the mouse cursor over a line in the diagram gives you the exact quantity of the kind of data that the line represents, that is, the kind that you selected in the Display choice list. A dashed line indicates zero data.

Grouping objects in the columns of the diagram

The Local activity view shares with the Network activity and the Web activity views the same mechanism for collapsing and expanding objects in the column diagram. When a column contains many objects, the Finder collapses them into groups. You distinguish collapsed objects from single objects by the small plus sign that shows on the icon of the collapsed objects. To expand a group of collapsed objects, click the plus sign. If a dotted line appears between expanded objects, that means that they share common traits and they are suitable for collapsing. Click the dotted line and the objects linked by the line will collapse. Alternatively, right-click on an object and select Collapse or Expand. The right-clicking option allows you to force a collapse of objects even when no dotted line links them. As a special case, binary objects can collapse into executables and applications and be displayed as such in the column dedicated to binaries. A collapsed group of devices that displays an additional star on the icon denotes that all members of the group belong to a single entity, which is a special kind of category.

If the number of objects in a column exceeds the vertical space available to show them, an arrow above the column and an arrow below the column help you reach the objects that lie out of bounds. Hover the mouse cursor over the arrows to navigate up or down the objects in the column or click the arrows to navigate quickly.

Navigating through paths and objects

When you click on a line of the Local activity diagram, a full path from device to binary is highlighted based on your selection. Right-click the path to drill-down to related objects or activities or execute a related one-click investigation, as you would do from the list results of an executed investigation. You can select several paths at the same time by pressing the Ctrl key while you click the paths.

If the Local activity corresponds to an investigation based on objects and not directly based on executions, a list of objects from the results of the investigation appears to the left of the diagram. For instance, if you execute an investigation on devices and then select the Local activity view, the left hand side of the diagram displays a list of the devices included in the results of the investigation. The list of objects interacts with the displayed lines of the Local activity. If you select a path in the Local activity diagram, the objects that took part in the selected executions are highlighted in the list. The reverse is also true: if you select a specific object from the list, paths representing executions in which the object took part are highlighted in the Local activity diagram. Again, you can select several paths or several objects at the same time by pressing the Ctrl key while clicking the lines or the names of the objects. Right-click the name of an object to get the usual drill-down and one-click investigation options associated to the object.

The bar chart of time limited investigations

If the Local activity view relates to an investigation limited in time (full period investigations and investigations specifying Between hours are excluded), a bar chart spanning the period of the investigation appears below the diagram of columns. The height of a bar represents a quantity that depends on the type of information selected in the Display choice list, in the same way as the thickness of a line in the diagram does. The value of a bar is valid within the time that corresponds to its width. Hover the mouse over a bar to display the numeric value represented and the time interval that the bar spans. The Finder automatically computes the width of the bars and scales them to fit the time frame of the underlying investigation:

  • For a maximum time frame of 7 days, a bar represents 2 hours of data.
  • For a minimum time frame of 30 minutes, a bar represents 30 seconds of data.

The bars in the chart also interact with the path lines of the Local activity diagram. Click a bar and the associated paths will be highlighted in the diagram. Click a line of the Local activity diagram and the corresponding sections of the bars will be highlighted in the bar chart. Once again, you can select several lines or several bars by clicking them while you press the Ctrl key. Right-click a bar or a group of selected bars to drill-down to related objects or activities or to execute one-click investigations.

Zooming in and out

To limit the number of lines in a diagram to those that correspond to one or more bars in the bar chart, use the zoom in icon (the magnifying glass with a plus sign) placed on the top right corner of the Network activity diagram. Selecting one or more bars in the bar chart enables the zoom in icon. Click the zoom in icon and only the lines that relate to the bars selected will remain displayed in the diagram. After zooming in, come back to the original time frame by clicking the zoom out icon that lies to the right of the zoom in icon.

In a similar way, you can reduce the number of paths in a diagram to those selected using the zoom. Select one or more paths in the diagram and click the zoom in icon. Only the selected paths and their related objects remain displayed in the diagram. Click the zoom out icon to come back to the previous zoom level.

Limits of the diagram

If the underlying investigation involves a big amount of executions, the Local activity view may not be able to display all the corresponding paths. When the limit of ten thousand paths is exceeded, a warning icon appears in the top right corner of the diagram, to the left of the zoom icons, meaning that only partial results are shown in the diagram.

To see the Local activity diagram in full screen mode, click the growing square icon that is placed to the right of the zoom icons. This is specially useful in diagrams with lots of executions, to help you better distinguish the different paths. To come back to the original view of the diagram, click the shrinking square icon that replaces the growing square icon in full screen mode.

Related references