As part of my investigation I broke out an old tool of mine, SimpleSniffer. While using it, I was reminded how much network traffic is encrypted - pretty much everything these days. Here is a partial screen grab of a Terminal window running SimpleSniffer. It shows the destination IP, destination port, and destination host names (captured via DNS analysis). Look at all that 443 traffic. (click on image to blow it up):
If you are curious, below is a full view of the Terminal window. The left column shows the application that generated the network traffic - a neat little Easter Egg Apple throws into its tcpdump data. Each line only shows the first connection to the destination, so the view provides a nice summary of all the different destinations your computer is visiting.
Most of the traffic is generated by WebKit, which is used by a number of applications to download and display HTML content from the Internet.
Out of curiosity I rebooted my Mac, logged in and only started the Terminal app in order to run SimpleSniffer. Below is a screenshot of the various applications generating network traffic behind the scenes. Your computer is often doing a lot of things on the network that you probably have no idea about.
One final observation/question: Why is an application called “trustd” pretty much the only application using unencrypted HTTP (port 80) network connections?