I put my computer’s internet traffic on a map, and I didn’t expect what I found

I already keep a close eye on any suspicious connections using Sysinternals tools like TCPView, but a list of processes, IP addresses, ports, and remote hosts only tells a small, kind of boring part of the story. It shows what’s connected, not where those connections lead or where they came from.

That’s why I tried TapMap, a local tool that plots my active network connections on a world map and organizes them by app, provider, country, and port. I expected to see a slightly prettier version of the same port and socket data I routinely check. Instead, I got a clear picture of just how many places around the world the packets that flow to and from my seemingly boring laptop actually visit.

I had to give TapMap its map data before it became useful

The app was easy to launch, but the dots needed a little help

Installing TapMap on Windows is simple enough. Just download from the official GitHub repository, unzip, and run tapmap.exe. When I launched it for the first time, a small local Flask web app opened in my browser at 127.0.0.1:8050. My first impression was that it definitely wasn’t a typical network monitoring tool. It was more like a local dashboard built around live socket data and an interactive map.

Unfortunately, the first run wasn’t very helpful because the GeoIP databases were missing. TapMap needs local GeoLite2 database files so it can turn all those remote IP addresses from boring text into lines that stretch across a globe. Those files come from MaxMind, the very same company that’s trusted around the world to accurately pinpoint your geolocation via an IP address.

The two files I needed were:

• GeoLite2-City.mmdb
• GeoLite2-ASN.mmdb

After creating a free account with MaxMind, downloading and extracting the database files, I placed them both in TapMap’s data folder (\AppData\Roaming\TapMap) and used the app’s database recheck option. As soon as TapMap found them, the map started filling in properly and fast.

It was a little annoying, but I realized that’s actually how the app worked. TapMap reads local socket information, checks the remote IPs against the local database I downloaded, and renders the results in a cool browser-based dashboard.

The map did not show websites the way I expected

It showed the infrastructure my laptop was actually reaching

I expected TapMap to act sort of like a travel map for my connections. If I opened a site with a ".com.au" ccTLD (country-code Top Level Domain), then I should see a neat little line extending from my location to Australia. That’s not exactly what happened, and that incorrect assumption is actually the more interesting part of how the internet actually works.

TapMap doesn’t map website brands, company headquarters, or where I imagined a site would be hosted. It mapped active socket connections from my laptop to remote IP addresses. A socket is basically one live network conversation between my computer and another machine. So, once TapMap found those remote IPs, it checked them against the local GeoIP database and plotted out the result.

That meant the tool wasn’t mapping out the website name, but the infrastructure behind it. A site might look local because of its branding or audience, but connections can point to:

• A content delivery network (CDN) like CloudFlare.
• A regional edge server.
• A DNS service.
• An analytics provider.
• A cloud or shared hosting provider.
• An update endpoint

That changed how I read the map. Because a line to another country didn’t actually mean I had connected to a website, but just one layer of the infrastructure that served the page.

Interestingly, these lines started getting mapped as soon as the app was opened. My laptop seemed idle, but TapMap definitely disagreed. And even though I was browsing different pages and trying to connect to as many remote services as possible, most of the time I saw the same repeated connections to the same providers.

I created some clean test traffic to understand how the map logged connection locations

Random websites mostly showed CDNs, so I tried more deliberate connections

After a while, I was getting frustrated with seemingly every website and app using CDNs and not creating any new links, so I decided to force the issue. I noticed the Australian Bureau of Metrology website gave me a clean result and a link on the map, which gave me an idea to try NTP servers.

NTP servers are used for time synchronization, so the country pools should give TapMap something different from ordinary traffic shuffled through CDNs by querying them. I had luck with the Australian, Japanese, and Singaporean pools, which worked well enough to add their points to the map:

w32tm /stripchart /computer:au.pool.ntp.org /samples:20 /dataonly 
w32tm /stripchart /computer:jp.pool.ntp.org /samples:20 /dataonly 
w32tm /stripchart /computer:sg.pool.ntp.org /samples:20 /dataonly 

Sure enough, I got some hits with these. I tried again with websites that should abide by data sovereignty laws, specifically, universities. A few hits on .edu domains from Brazil, Argentina, Nigeria, and South Africa did the trick, with more lines populating the map.

The Insights panel was more useful than the map itself

The map delivered the visuals, but the summaries made the traffic easier to understand

The map is a great little tool to visualize how your computer makes connections across the world. But it was the insights panel that made me keep the tool running long after the novelty of the map wore off.

The insights and the Daily Activity Report are built from your network activity over a rolling 30-day period. After a while, it starts to collect a lot more useful information than what you can get from the map alone.

The Daily Activity Report summarizes application recurrence patterns and shows provider concentrations. It can also visualize country activity and generate activity logs with clear timelines. Basically, it helps separate the servers your computer talks to once from those it talks to repeatedly.

A one-off connection might be just a browser tab pulling down assets from a CDN, or an app installer checking a download server. Recurring activity can be something as simple as a sync client contacting the same provider, or an updater that keeps phoning home.

Recurring activity isn’t inherently bad, but it’s definitely worth checking when the pattern doesn’t align with what I’m doing. For example, I investigated a few of these:

• An unknown process was continually connecting to a remote provider in Sweden. It was just an apple process I initially didn’t recognize.
• Traffic that started hitting China immediately after I installed an app. This ended up being an advertisement for Air China.
• A local port listening that I didn’t recognize at first, but then remembered I was running a game server from earlier.
• The mstsc.exe process uses an unusual port, but it was just a connection to a local VM.

So, in each of these cases, there was nothing really malicious, but it still pays to use tools like TapMap to weed out any possible dodgy connections.

I’ll definitely use TapMap again, but I won’t use it as a panic button

It made my traffic visible, not automatically suspicious

TapMap was brilliant and very informative about the infrastructure that websites and services use around the world. But it doesn’t replace a firewall, DNS filter, packet analyzer, or a proper network monitor. It didn’t tell me whether every connection was good or bad, and it didn’t prove that every single map marker warranted investigation.

What it did was simpler and quite useful. It made invisible background traffic visible so I could see which apps were talking, which providers were hit the most, and which ports were involved. That gave me a much better feel for what my laptop was doing when I was just using it normally.

While I didn’t find any shocking secret connections, I did find that normal computer traffic is already super busy and easy to ignore unless something like TapMap puts it on a map. Combined with investigation and monitoring tools like Sysmon, the tool is a powerful method for investigating any connections I become concerned about.