WhatRoute Help

Flow Monitor

The Flow Monitor window displays a table of the network flows seen by the selected network interface.

A Network Flow is a summary of the packets seen on a network interface with common characteristics of source/destination IP addresses, network protocol and source/destination ports.

WhatRoute enables you to view other detail such as the amount of data associated with the flow, the process on your machine that is participationg in the flow etc.

The contents of the table can be saved to comma separated variable (csv) file with the File/Save ... menu items. The saved file can then be loaded into a text editor, or spreadsheet program such as Excel.

A visualisation of the flow data is available in the Flow Usage treemap.

Open the Flow Monitor window by selecting the menu command Window/Flow Monitor. WhatRoute will remember the size and location of the window and re-open it next time the application is run.
If Resume monitors ... is checked, WhatRoute will immediately begin collecting and displaying data for the selected interface. Otherwise, click the Start button.

Toolbar
The toolbar has controls for starting, stopping and pausing the Flow Monitor.

It also contains a pulldown menu to give quick access to commands.

The Search field will perform simple text matching. Only display table records that contain the search test in at least one column will be displayed.

Window Header
The window header provides controls that will perform coarse filtering on the data presented in the table.

At left side of the header are 3 numeric data fields that control display of data.

Idle - Do not display any flow that has not been updated for this number of seconds.
Inactive - Discard any flow that has not had any network activity for this number of seconds.
Update - Refresh the display at this interval (seconds).

Check boxes - The group of 7 check boxes perform quick filtering or display modification.

Names - Use names rather than numeric values where possible. When this box is checked WhatRoute will use DNS to transform IP addresses to names and also substitute strings for items such as port/services, protocols etc.

Merge - By the strict definition of a flow, packets sent to a host are in a different flow than packets being received from a host. Checking Merge relaxes this rule and the forward and reverse flows are combined into a single entry.

Interface - Select the network interface to monitor. This cannot be changed while the monitor is running and the control will be disabled. You must stop the monitor if you wish to change monitoring from e.g. Ethernet to Wi-Fi.

Promiscuous - aka slutty. If checked all packets visible to the interface will be collected. When unchecked only packets specifically to or from your computer are collected.

Table Header (column titles)
The table follows normal macOS data table conventions.
sorting - click a column title to sort the table either ascending or descending by the value in that column.

reordering - Click-Drag a column title to move it either left or right in the display.

Showing/Hiding columns - Right click (ctrl-click) anywhere in the table column titles to display a popup menu of visible and hidden fields. After selecting a hidden field you may wish to reorder the columns or resize the window to bring the newly selected field into view.

The columns menu is also available in View/Flow Columns

The column titles should be self explanatory. Please email me bryan@whatroute.net if further explanation is required.

Table Body
Right clicking (ctrl-click) on the value in certain columns will reveal a popup menu of actions that may be taken.
e.g. If you right click on a host name or IP address you can execute a command such as whois to find out more about that address/host.

You may wish to Pause updates before performing this analysis.


Copyright © 2016 - 2017 B.R. Christianson (bryan@whatroute.net)