Viewing network connections
Viewing network connections
To visualize network connections in a graphical way, use the Network activity view. The Network activity view relates all the objects that participate in a network connection.
To open the Network activity view:
- Execute an investigation based on connections or on any of the objects that participate directly or indirectly in a network connection: device, user, application, executable, binary, port or destination.
- From the list of results, click the Network button placed at the top of the list.
You can also open the Network activity view from other contexts such as the device view or the services view. In any case, an underlying investigation is generated for you, displaying the Network activity that corresponds to that investigation.
Interpreting the Network activity view
The Network activity view arranges objects in five columns, one per class of object that participates in a connection: device, user, binary, port and destination (applications and executables participate indirectly in a connection through binaries). Straight lines connect objects in contiguous columns whenever the linked objects took part in a network connection. The thickness of the lines indicate a quantity that depends on the kind of information that you selected in the Display choice list that is found in the top left corner of the panel. By default, lines display the total traffic, so the thicker the line is, the higher the amount of traffic exchanged during the connection. But you can select to display the number of failed connections, the average response time, the bitrate of the connection, etc. Hovering the mouse over a line gives you the exact quantity of the information selected. A dashed line indicates a zero amount of the kind of information selected; for instance, you may select to display the total traffic and have a very thick line joining a set of objects and then select to display the number of failed connections and have a dashed line instead, because all connections were successful.
Grouping objects in the columns of the diagram
When a column contains many objects, the Finder collapses them into groups of objects. You distinguish collapsed objects from single objects by the small plus sign that shows on the icon of the collapsed objects. To expand a group of collapsed objects, click the plus sign. If a dotted line appears between expanded objects, that means that they share common traits and they are suitable for collapsing. Click the dotted line and the objects linked by the line will collapse. Alternatively, right-click on an object and select Collapse or Expand. The right-clicking option allows you to force a collapse of objects even when no dotted line links them. As a special case, binary objects can collapse into executables and applications and be displayed as such in the column dedicated to binaries. Groups of devices and ports can additionally display a star on their respective icons. For a group of devices, the star denotes that they all belong to a single entity, which is a special kind of category. In the case of ports, the star indicates that the icon represents a group of scanned ports. You cannot expand scanned ports to analyze them individually. The group of external destinations is represented by an icon with the shape of a cloud in the column dedicated to destinations. Similarly to a group of scanned ports, the group of external destinations cannot be expanded to individual destinations.
If the number of objects in a column exceeds the vertical space available to show them, an arrow above the column and an arrow below the column help you reach the objects that lie out of bounds. Hover the mouse cursor over the arrows to navigate up or down the objects in the column or click the arrows to navigate quickly.
When you click on a line of the Network activity joining two objects, a full path from device to destination is highlighted based on your selection. Right-click the path to drill-down to related objects or activities or execute a related one-click investigation, as you would do from the list results of an executed investigation. You can select several paths at the same time by pressing the Ctrl key while you click the paths.
If the Network activity corresponds to an investigation based on objects and not directly based on connections, a list of objects from the results of the investigation appears to the left of the diagram. For instance, if you execute an investigation on devices and then select the Network activity view, the left hand side of the diagram displays a list of the devices included in the results of the investigation. The list of objects interacts with the displayed lines of the Network activity diagram. If you select a path in the Network activity diagram, the objects that took part in the selected connections are highlighted in the list. The reverse is also true: if you select a specific object from the list, paths representing connections in which the object took part are highlighted in the Network activity diagram. Again, you can select several paths or several objects at the same time by pressing the Ctrl key while clicking the lines or the names of the objects. Right-click the name of an object to get the usual drill-down and one-click investigation options associated to the object.
The bar chart of time limited investigations
If the Network activity view relates to an investigation limited in time (full period investigations and investigations specifying Between hours are excluded), a bar chart spanning the period of the investigation appears below the diagram of columns. The height of a bar represents a quantity that depends on the type of information selected in the Display choice list, in the same way as the thickness of a line in the diagram does. The value of a bar is valid within the time that corresponds to its width. Hover the mouse over a bar to display the numeric value represented and the time interval that the bar spans. The Finder automatically computes the width of the bars and scales them to fit the time frame of the underlying investigation:
- For a maximum time frame of 7 days, a bar represents 2 hours of data.
- For a minimum time frame of 30 minutes, a bar represents 30 seconds of data.
The bars in the chart also interact with the path lines of the Network activity diagram. Click a bar and the associated paths will be highlighted in the diagram. Click a line of the Network activity diagram and the corresponding sections of the bars will be highlighted in the bar chart. Once again, you can select several lines or several bars by clicking them while you press the Ctrl key. Right-click a bar or a group of selected bars to drill-down to related objects or activities or to execute one-click investigations.
Zooming in and out
To limit the number of lines in a diagram to those that correspond to one or more bars in the bar chart, use the zoom in icon (the magnifying glass with a plus sign) placed on the top right corner of the Network activity diagram. Selecting one or more bars in the bar chart enables the zoom in icon. Click the zoom in icon and only the lines that relate to the bars selected will remain displayed in the diagram. After zooming in, come back to the original time frame by clicking the zoom out icon that lies to the right of the zoom in icon.
In a similar way, you can reduce the number of paths in a diagram to those selected using the zoom. Select one or more paths in the diagram and click the zoom in icon. Only the selected paths and their related objects remain displayed in the diagram. Click the zoom out icon to come back to the previous zoom level.
Limits of the diagram
If the investigation involves a big amount of connections, the Network activity view may not be able to display all the corresponding paths. When the limit of ten thousand paths is exceeded, a warning icon appears in the top right corner of the diagram, to the left of the zoom icons, meaning that only partial results are shown in the diagram.
To see the Network activity diagram in full screen mode, click the growing square icon that is placed to the right of the zoom icons. This is specially useful in diagrams with lots of connections to better distinguish the different paths. To come back to the original view of the diagram, click the shrinking square icon that replaces the growing square icon in full screen mode.