Comparing macOS with Linux background network traffic

A short overview of unwittingly opened network connections.

A network traffic graph generated from my Mac running macOS Sierra. The data was collected during a 10 hour workday. The computer was started and left unused during this time. The upper half shows individual connections, each with its own color. Below the number of transmitted packages per time-frame is shown.
A network traffic graph generated from my Mac running macOS Sierra. The data was collected during a 10 hour workday. The computer was started and left unused during this time. The upper half shows individual connections, each with its own color. Below the number of transmitted packages per time-frame are shown.

Over a period of ten hours my Mac handled 157 different connections. Most of them are used to uphold LAN services like neighbor advertisement(NDP). I crated an application that creates small graphs for a visual comparison of network traffic.

Overview of Internet connections

NTP

Overall 115 connections via NTP were counted. From the incoming addresses one was striking: scan-04b.shadowserver.org. A fast search revealed that my firewall could use a rule-set update (Ref: https://ntpscan.shadowserver.org/). At first, a NTP query was started every minute and by the end of the 10 hour test the interval time extended to 20 minutes. These irregular intervals can be explained by NTPs update strategy to maintain the highest possible accuracy. If a high accuracy of less than 10 milliseconds is not needed, an alternative method available with Linux/SystemD can be used. With the systemd-timesyncd service the system clock is synchronized only once during boot:

Email and Social Media accounts

Email accounts are queried hourly without user activity.

Other Services

Other Services, for example up-to-date weather information are queried every three hours.

Jabber service

Apples Jabber service was activated every 10 Minutes.

The Cloud

The Mac connected itself once every hour to the cloud. Interestingly the data transmitted with Transport Layer Security (TLS) 1.2 never changed.

Application Updates

Applications, not distributed by the AppStore, have their own update intervals. At 10 o clock GpgTools decided to update itself.

Oddities

At two occasions the system tried to send defective tcp packages. Both were rejected by the router.

Linux
Linux Network Graph
Linux Network Graph

I stopped the test with Linux after three hours. The system was silent and did not open any connection outside the LAN.

Considerations

I suspect that my Mac has a very individual setup and differs a lot form other possible configurations, but it should be expected that macOS on average creates more background network traffic than a Linux distribution like ArchLinux.

Leave a Reply

Your email address will not be published.