Skip to content

Network Logs

The Network Logs pane provides real-time monitoring of network events through packet capture and system monitoring. Located on the right side of the main window, it displays a scrolling log of network activity with color-coded event types.

Network Logs Overview

Overview

Network Logs capture and display various network events in real-time, including:

  • Protocol operations (ARP, DHCP, DNS, LLDP, CDP, 802.1X)
  • Wi-Fi events (roaming, signal changes)
  • Interface changes (IP address modifications)
  • Ping monitor status changes
  • System events

All events include timestamps and are color-coded by type for easy scanning.

Active Monitoring

BPF Permission Requirement

To enable full network monitoring, PingStalker requires BPF (Berkeley Packet Filter) access. Without it, a warning banner appears:

BPF Warning

Warning Message: "Active monitoring not running. Click here to install ChmodBPF."

Click the banner to install the ChmodBPF utility, which grants the necessary permissions.

After Installation: Restart PingStalker for changes to take effect.

Monitored Packets

With BPF access, PingStalker captures:

  • ARP - Address Resolution Protocol requests and replies
  • DHCP - DHCP Discover, Offer, Request, and ACK messages
  • LLDP - Link Layer Discovery Protocol frames
  • CDP - Cisco Discovery Protocol frames
  • 802.1X - EAP authentication packets
  • ICMP - Internet Control Message Protocol (ping-related)

Privacy Note: Packet capture is local only. No data is transmitted outside your Mac.

Log Event Types

Each event type is color-coded for quick identification:

Event Types

LLDP/CDP Events (Blue)

What: Neighbor discovery information from switches, routers, and access points

Examples: - "LLDP: Neighbor discovered - Switch-01 on port GigabitEthernet1/0/24" - "CDP: Neighbor - cisco-ap-2702i on port FastEthernet0"

When You'll See It: - When connected to managed switches or enterprise access points - Periodically as devices re-announce themselves (typically every 30-60 seconds)

Use Case: Identify which switch port you're plugged into, verify VLAN configuration

See: Interface Details → Neighbor Discovery

ARP Events (Purple)

What: Address Resolution Protocol operations mapping IP addresses to MAC addresses

Examples: - "ARP: Who has 192.168.1.1? Tell 192.168.1.50" - "ARP: 192.168.1.1 is at 00:11:22:33:44:55" - "ARP: Reply from 192.168.1.100 (Cisco Systems)"

When You'll See It: - Device communication starts (first time contacting a host) - ARP cache expires (typically every 5-20 minutes) - During network scans

Use Case: Monitor which devices are communicating, detect ARP spoofing attempts

ICMP Events (Cyan)

What: Internet Control Message Protocol events, primarily ping-related

Examples: - "ICMP: Echo request to 8.8.8.8" - "ICMP: Echo reply from 1.1.1.1 (12ms)" - "ICMP: Destination unreachable from 192.168.1.1"

When You'll See It: - Ping Monitor operations - Network troubleshooting tools (ping, traceroute) - Router error notifications

Use Case: Track ping activity, diagnose connectivity problems

DHCP Events (Orange)

What: Dynamic Host Configuration Protocol transactions for IP address assignment

Examples: - "DHCP: Discover from 00:11:22:33:44:55" - "DHCP: Offer - 192.168.1.50 from server 192.168.1.1" - "DHCP: Request for 192.168.1.50" - "DHCP: ACK - 192.168.1.50 assigned (lease: 24 hours)"

When You'll See It: - Interface connects to network (initial boot, cable plugged in, Wi-Fi connected) - DHCP lease renewal (T1 time, typically 50% of lease duration) - DHCP lease rebinding (T2 time, typically 87.5% of lease duration)

Use Case: Verify DHCP is working, troubleshoot IP assignment issues, monitor lease renewals

See: Interface Details → DHCP Information

DNS Events (Teal)

What: Domain Name System monitoring and query performance

Examples: - "DNS: Querying 8.8.8.8 for www.example.com" - "DNS: Response from 1.1.1.1 (15ms) - www.example.com = 93.184.216.34" - "DNS: Slow response from 192.168.1.1 (1250ms)" - "DNS: Query failed - 8.8.8.8 timeout"

When You'll See It: - When DNS Monitoring is enabled in Settings → Monitoring - Every 60 seconds for each configured DNS server - After network changes

What's Monitored: - Query response time (logs if > 1000ms) - Query failures/timeouts - All configured DNS servers

Use Case: Identify slow or failing DNS servers, troubleshoot name resolution issues

Configuration: Enable/disable in Settings → Monitoring → DNS Monitoring

Wi-Fi Events (Green)

What: Wireless network events and status changes

Examples: - "Wi-Fi: Connected to NetworkName (00:11:22:33:44:55)" - "Wi-Fi: Signal strength -65 dBm (Good)" - "Wi-Fi: Roaming to new AP - BSSID changed from AA:BB:CC:DD:EE:FF to 11:22:33:44:55:66" - "Wi-Fi: Channel changed from 36 to 149" - "Wi-Fi: Disconnected from NetworkName"

When You'll See It: - Connecting/disconnecting from Wi-Fi networks - Roaming between access points (enterprise/mesh networks) - Signal strength changes (threshold-based logging) - Channel changes

Use Case: Monitor Wi-Fi roaming behavior, track connection stability, diagnose signal issues

See: Interface Details → Wireless Details

802.1X Events (Pink)

What: Enterprise wireless/wired authentication using EAP (Extensible Authentication Protocol)

Examples: - "802.1X: EAP-Request/Identity" - "802.1X: EAP-Response/Identity" - "802.1X: EAP-Success" - "802.1X: EAP-Failure"

When You'll See It: - Connecting to enterprise WPA2-Enterprise or WPA3-Enterprise Wi-Fi - Connecting to wired networks with 802.1X port security - Re-authentication events (periodic or policy-driven)

Use Case: Troubleshoot enterprise authentication, verify proper EAP configuration

PING Events (Gray/Green/Red)

What: Ping Monitor host status changes

Examples: - "PING: 1.1.1.1 (Cloudflare DNS) is up (12ms)" - "PING: 192.168.1.1 (Gateway) is down" - "PING: Added 192.168.1.50 (Office Printer) to monitor" - "PING: Removed 8.8.8.8 from monitor"

Color Coding: - Green: Host is up - Red: Host is down - Gray: Monitor management (add/remove/label)

When You'll See It: - Host status changes in Ping Monitor - Adding/removing hosts from monitor - Setting host labels

Use Case: Track host availability changes, correlate with other network events

IP Events (Indigo)

What: IP address configuration changes

Examples: - "IP: Address changed from 192.168.1.50 to 192.168.1.100" - "IP: Public IP changed from 203.0.113.50 to 203.0.113.51" - "IP: Interface en0 configured with 10.0.0.5"

When You'll See It: - DHCP lease renewal with different IP - Network changes (switching networks) - VPN connections/disconnections - Public IP address changes (detected by internet details monitoring)

Use Case: Track when your IP address changes, diagnose network configuration issues

See: Interface Details → IP Change Detection

SYS Events (Secondary Color)

What: System-level network events

Examples: - "SYS: Interface en0 link up" - "SYS: Interface en0 link down" - "SYS: Default route changed to en1" - "SYS: Network configuration changed"

When You'll See It: - Ethernet cable plugged in/unplugged - Wi-Fi enabled/disabled - Network services reordered - VPN connections

Use Case: Diagnose physical connectivity, track interface state changes

VLAN Detection

When VLANs (Virtual LANs) are detected on your interface, a banner appears at the bottom of the Network Logs:

VLAN Banner

Banner Message: "VLANs detected on this interface"

Information Shown: - Native VLAN number - Tagged VLANs (if any)

When You'll See It: - Connected to managed switch with VLAN configuration - LLDP or CDP packets include VLAN information

See: Interface Details → Neighbor Discovery for VLAN details

Log Management

Searching Logs

Use the search box at the top of the Network Logs pane to filter events:

Search Box

Search Behavior: - Real-time filtering: Results update as you type - Case-insensitive: "dhcp" matches "DHCP" - Partial matching: "192.168" matches all 192.168.x.x addresses - Type filtering: "ARP" shows only ARP events - Content searching: Searches entire log message

Search Examples: - 192.168.1.1 - Find all events related to this IP - DHCP - Show only DHCP events - down - Find all "down" events (host down, link down) - Cloudflare - Find events mentioning Cloudflare - Wi-Fi - Show all wireless events

Clearing Logs

To clear all logged events:

  1. Look for the Clear Logs button (typically in the footer or Network Logs header)
  2. Click Clear Logs
  3. All events are removed from the display

Clear Logs

Note: Clearing logs does not stop monitoring—new events continue to appear.

Use Case: Start fresh when troubleshooting, reduce clutter during long monitoring sessions

Copying Log Entries

To copy individual log entries to the clipboard:

  1. Right-click a log entry
  2. Select Copy from the context menu
  3. The full log entry is copied (timestamp + type + message)

Copy Entry

Use Case: Share specific events, paste into trouble tickets, document issues

Usage Scenarios

Troubleshooting DHCP Issues

  1. Clear logs for a clean view
  2. Disconnect and reconnect network (unplug cable or toggle Wi-Fi)
  3. Watch for DHCP sequence:
  4. Discover (client broadcasts request)
  5. Offer (server offers IP address)
  6. Request (client requests offered IP)
  7. ACK (server confirms assignment)
  8. If sequence fails, identify which step fails

Missing Discover? → Interface not sending DHCP requests Missing Offer? → No DHCP server responding Missing ACK? → DHCP server rejecting request

Monitoring Wi-Fi Roaming

  1. Walk around with a laptop on enterprise/mesh Wi-Fi
  2. Watch for "Wi-Fi: Roaming to new AP" events
  3. Check timestamps to see how often roaming occurs

Use Case: Validate mesh network performance, identify roaming dead spots

Identifying Chatty Devices

  1. Clear logs
  2. Leave PingStalker running for 5-10 minutes
  3. Search for specific device IP addresses
  4. Count how many events each device generates

Use Case: Find devices generating excessive ARP requests, DHCP renewals, or other traffic

Detecting Network Issues

Watch for patterns:

Frequent DHCP Renewals → Possible DHCP server issue or short lease times Repeated ARP Requests with No Reply → Device offline or network segmentation issue DNS Timeouts → DNS server problems or network congestion Frequent Wi-Fi Signal Changes → Interference or AP placement issues EAP Failures → 802.1X authentication configuration problem

Monitoring Specific Device

  1. Run a Network Scan to discover device
  2. Note its IP and MAC address
  3. Search for that IP in Network Logs
  4. Monitor its ARP activity, DHCP renewals, etc.

Use Case: Troubleshoot specific device connectivity, verify device is online

Privacy Considerations

Local Monitoring Only

All packet capture is local:

  • No data transmitted off your Mac
  • No cloud logging
  • No analytics sent to external servers

Sensitive Information

Network logs may contain:

  • IP addresses (local and remote)
  • MAC addresses
  • Hostnames
  • DNS queries (revealing browsing)

Use Privacy Mode: Enable Privacy → Data Obfuscation before taking screenshots or sharing logs.

Network Impact

PingStalker's monitoring is passive:

  • Captures packets but doesn't generate traffic (except Ping Monitor and DNS Monitoring)
  • No performance impact on your network
  • Safe to run continuously

The Network Logs provide essential real-time visibility into network operations. Combine with Ping Monitor for availability tracking and Interface Details for configuration information to get a complete picture of your network status.