NetScope: A Native macOS Network Scanner Built with Swift and SwiftUI

Romi Nur Ismanto

Independent AI Research Lab, Jakarta, Indonesia

rominur@gmail.com

April 2026

Abstract

We present NetScope, a native macOS network scanner built from the ground up with Swift 5.9 and SwiftUI. Unlike Electron-wrapped or web-based alternatives, NetScope leverages Apple’s Network.framework, CoreWLAN, BSD sockets, and SystemConfiguration to deliver high-performance network discovery, TCP port scanning, ICMP diagnostics, continuous monitoring, and multi-format reporting — all within a privacy-respecting, sandboxed application. The tool integrates six modules (My Device, Discovery, Port Scanner, Ping & Traceroute, Monitor, Reports) into a NavigationSplitView three-column interface with SwiftData persistence, Swift Charts visualization, and XPC-based privileged helper for raw socket operations. NetScope supports macOS 14+ (Sonoma) on both Apple Silicon and Intel architectures, requires no external dependencies, collects no telemetry, and operates entirely offline after installation. Distributed as a native .dmg under the MIT license.

Keywords: network scanner, macOS, Swift, SwiftUI, Network.framework, port scanning, ICMP, device discovery, Bonjour, mDNS, network monitoring, privacy

1. Introduction

Network scanning and device discovery are fundamental tasks for system administrators, security professionals, and developers managing local infrastructure. While command-line tools such as nmap, arp-scan, and ping remain powerful, they require terminal proficiency and often lack visual feedback for non-technical stakeholders. Existing GUI alternatives on macOS frequently rely on Electron wrappers, introducing significant memory overhead and non-native user experiences.

NetScope addresses this gap by providing a fully native macOS application built exclusively with Swift and SwiftUI. By leveraging Apple’s first-party frameworks — Network.framework for TCP/UDP connections, CoreWLAN for wireless metadata, SystemConfiguration for network interface enumeration, and BSD sockets via an XPC privileged helper for ICMP operations — NetScope achieves performance characteristics unattainable by cross-platform wrappers while maintaining the visual polish and accessibility standards expected of macOS applications.

The primary contributions of this work are:

A six-module native network scanner delivering device discovery, port scanning, diagnostics, monitoring, and reporting in a single cohesive application.
A layered MVVM architecture with Actor-based concurrency ensuring thread-safe network operations without data races.
XPC-based privilege separation enabling raw ICMP socket access while maintaining App Sandbox security.
Zero-dependency, zero-telemetry design prioritizing user privacy and offline operation.
Bilingual localization (English and Indonesian) with full keyboard accessibility.

2. System Architecture

NetScope follows a layered MVVM (Model-View-ViewModel) architecture that cleanly separates concerns across five distinct layers:

SwiftUI Views → @MainActor ViewModels → Actor Services → Network Layer → SwiftData Persistence

2.1 Presentation Layer

The UI is built entirely with SwiftUI, utilizing NavigationSplitView for a three-column layout: sidebar navigation, device/result list, and detail inspector. Each module occupies its own view hierarchy, enabling independent state management and lazy loading. The dark-mode-first design adapts automatically to system appearance settings.

2.2 ViewModel Layer

ViewModels are annotated with @MainActor and conform to ObservableObject, publishing state changes to SwiftUI views via @Published properties. Each module has a dedicated ViewModel that orchestrates its service layer interactions and manages UI state (loading indicators, error presentation, result sorting).

2.3 Service Layer

Network operations are encapsulated in Swift Actors, ensuring thread-safe concurrent access without explicit locking. Services expose AsyncStream interfaces for real-time result streaming — enabling the UI to display discovered devices and scan results as they arrive rather than waiting for batch completion.

2.4 Network Layer

The network layer integrates multiple Apple frameworks:

Table 1: Framework Integration
Framework	Purpose	Module
Network.framework	TCP connections, TLS inspection, NWBrowser	Discovery, Port Scanner
CoreWLAN	Wi-Fi SSID, BSSID, channel, RSSI	My Device
SystemConfiguration	Interface enumeration, gateway detection	My Device, Discovery
BSD Sockets (via XPC)	Raw ICMP packets for ping/traceroute	Ping & Traceroute
dnssd / NWBrowser	Bonjour/mDNS service browsing	Discovery

2.5 Persistence Layer

SwiftData provides local persistence for scan history, device profiles, monitoring events, and user preferences. The schema supports versioned migrations, ensuring data integrity across application updates. All data remains on-device with no cloud synchronization.

3. Module Descriptions

3.1 My Device

Displays comprehensive local system information: all network interfaces (en0, en1, utun*, bridge*) with IPv4/IPv6 addresses, subnet masks, and MAC addresses; default gateway and DNS servers; Wi-Fi details (SSID, BSSID, channel, band, RSSI, noise, PHY mode); and system metadata (hostname, macOS version, hardware model, uptime). Data is refreshed on-demand or automatically when network configuration changes via SCDynamicStore notifications.

3.2 Discovery

Network-wide device scanning combines three complementary techniques:

TCP Knock Scan: Rapid connection attempts to common ports (22, 80, 443, 445, 548, 3389, 5000, 8080) across the local subnet, using concurrent NWConnection instances with short timeouts.
ARP Table Reading: Parsing the system ARP cache via sysctl to identify recently-seen MAC addresses and their IP mappings.
Bonjour/mDNS Browsing: Enumerating 14+ service types (_http._tcp, _ssh._tcp, _smb._tcp, _airplay._tcp, _printer._tcp, etc.) to discover advertised services.

Discovered devices are enriched with OUI vendor lookup (IEEE MA-L database), reverse DNS resolution, and fingerprinting heuristics based on open ports and service advertisements. Results are displayed in a sortable, filterable table with device type icons.

3.3 Port Scanner

TCP connection scanning with configurable port ranges: Top 100, Top 1000 (IANA), or custom ranges. The scanner utilizes over 100 concurrent NWConnection probes with adaptive timeout scaling. For open ports, NetScope performs:

Banner Grabbing: Reading initial service responses to identify software versions.
HTTP Header Extraction: Sending minimal GET requests to web ports for server identification.
TLS Certificate Inspection: Extracting certificate subject, issuer, validity dates, and SANs for HTTPS ports.

3.4 Ping & Traceroute

ICMP echo request/reply via the XPC privileged helper, which holds the necessary raw socket entitlements. Features include configurable packet count, payload size, interval, and TTL. Traceroute implements incremental TTL probing with three probes per hop, displaying RTT statistics and intermediate router addresses. The DNS query tool supports A, AAAA, MX, NS, CNAME, TXT, and SRV record types using dnssd APIs.

3.5 Monitor

Continuous device polling with configurable intervals (default 30 seconds). Tracks device reachability state transitions (online/offline) and triggers macOS notifications via UserNotifications framework. Maintains a 24-hour rolling event history with Swift Charts visualization showing availability timelines. Supports threshold-based alerts for latency degradation and packet loss.

3.6 Reports

Multi-format export engine supporting:

Table 2: Export Formats
Format	Implementation	Use Case
CSV	Native String formatting	Spreadsheet analysis
JSON	Codable + JSONEncoder	API integration, archival
HTML	Template-based rendering	Browser viewing, email
PDF	Core Graphics + PDFKit	Professional reports, printing

Reports include scan metadata (timestamp, duration, scope), device summaries, port details, and latency statistics. The print functionality integrates with macOS system print dialog for direct printer output.

4. Security Architecture

NetScope implements defense-in-depth security:

App Sandbox: Enabled with minimal entitlements (network client, network server for listening during scans).
XPC Privilege Separation: Raw socket operations (ICMP) are isolated in a privileged helper installed via SMJobBless. The main application communicates with the helper through a validated XPC connection with code signing requirements.
Code Signing Validation: Both the main app and XPC helper validate each other’s code signing identity before establishing communication.
No Telemetry: Zero network communication beyond the user-initiated scan operations. No analytics, crash reporting, or update checks.
Local-Only Storage: All data persists exclusively in the application’s sandboxed container via SwiftData.

5. Concurrency Model

NetScope leverages Swift’s structured concurrency throughout:

TaskGroup: Manages concurrent port scanning probes with bounded parallelism (max 100 concurrent connections).
AsyncStream: Delivers real-time scan results from service actors to ViewModels without polling.
Actor Isolation: Service-layer actors guarantee thread-safe state mutation without locks or dispatch queues.
Task Cancellation: Cooperative cancellation propagates through the task hierarchy when users stop scans or navigate away.
MainActor: UI state mutations are guaranteed to occur on the main thread via ViewModel annotations.

6. Technology Stack

Table 3: Complete Technology Stack
Layer	Technology	Version
Language	Swift	5.9
UI Framework	SwiftUI	macOS 14+
Persistence	SwiftData	1.0
Visualization	Swift Charts	1.0
Networking	Network.framework	macOS 14+
Wireless	CoreWLAN	macOS 14+
Configuration	SystemConfiguration	macOS 14+
Privileged Ops	XPC + SMJobBless	macOS 14+
Build System	XcodeGen	2.38+
Localization	String Catalogs	Xcode 15+

7. Build and Distribution

The project uses XcodeGen with a declarative project.yml configuration, eliminating Xcode project file merge conflicts in version control. The build pipeline produces a universal binary (arm64 + x86_64) distributed as a signed .dmg disk image. Installation follows the standard macOS drag-to-Applications pattern.

System requirements are minimal: macOS 14.0 (Sonoma) or later. The application consumes approximately 15–25 MB of RAM at idle and scales linearly with active scan scope. No external runtime dependencies are required — all functionality ships within the application bundle.

8. Keyboard Accessibility

NetScope provides comprehensive keyboard shortcuts for all major operations:

Table 4: Keyboard Shortcuts
Shortcut	Action
Cmd+1 through Cmd+6	Switch between modules
Cmd+R	Start/refresh scan
Cmd+.	Stop current operation
Cmd+E	Export results
Cmd+F	Filter/search results
Cmd+,	Preferences

9. Comparison with Existing Tools

Table 5: Comparison with Alternative Network Scanners
Feature	NetScope	nmap (CLI)	Angry IP Scanner	LanScan
Native macOS UI	Yes (SwiftUI)	No (Terminal)	No (Java)	Yes (AppKit)
Zero Dependencies	Yes	No (libpcap)	No (JRE)	Yes
Port Scanning	Yes + TLS inspect	Yes (advanced)	Basic	No
Continuous Monitor	Yes (alerts)	No	No	No
Report Export	CSV/JSON/HTML/PDF	XML/text	CSV/TXT	CSV
ICMP Ping/Trace	Yes	Yes	Yes (ping only)	No
Privacy (No Telemetry)	Yes	Yes	No (updates)	Unknown
App Sandbox	Yes	N/A	No	Yes
Localization	EN + ID	EN only	Multi	EN only

10. Future Work

Several enhancements are planned for subsequent releases:

Network Topology Mapping: Visual graph rendering of discovered devices and their interconnections using SpriteKit or SceneKit.
Vulnerability Scanning: Integration of CVE database lookups based on detected service banners and versions.
Scheduled Scans: Background scan scheduling with LaunchAgent integration for periodic network auditing.
SNMP Support: Device interrogation via SNMP v2c/v3 for enhanced hardware and configuration discovery.
Wi-Fi Analysis: Channel utilization mapping, signal strength heatmaps, and interference detection.
Diff Reports: Comparison between scan snapshots to detect network topology changes over time.

11. Conclusion

NetScope demonstrates that native macOS development with Swift and SwiftUI can deliver professional-grade network analysis tools without sacrificing performance for cross-platform compatibility. By leveraging Apple’s Network.framework, structured concurrency, and XPC privilege separation, NetScope achieves the responsiveness of command-line tools with the accessibility of a modern graphical interface. The zero-dependency, zero-telemetry architecture ensures that network professionals can trust the tool with sensitive infrastructure data while maintaining full App Sandbox security guarantees.

The application is open-source under the MIT license, inviting community contributions for additional protocol support, platform-specific optimizations, and localization expansions.

References

Apple Inc. "Network.framework Documentation." Apple Developer, 2024. https://developer.apple.com/documentation/network
Apple Inc. "SwiftUI Overview." Apple Developer, 2024. https://developer.apple.com/xcode/swiftui/
Apple Inc. "SwiftData Documentation." Apple Developer, 2024. https://developer.apple.com/documentation/swiftdata
Apple Inc. "Daemons and Services Programming Guide — XPC." Apple Developer, 2023.
Lyon, G. F. "Nmap Network Scanning: The Official Nmap Project Guide." Nmap Project, 2009.
IEEE Standards Association. "IEEE MA-L Public Listing (OUI Database)." https://standards-oui.ieee.org/
Apple Inc. "CoreWLAN Framework." Apple Developer, 2024. https://developer.apple.com/documentation/corewlan
Stevens, W. R. "UNIX Network Programming, Volume 1: The Sockets Networking API." Addison-Wesley, 2003.
Apple Inc. "Swift Concurrency: Actors." The Swift Programming Language, 2024.
Postel, J. "Internet Control Message Protocol." RFC 792, IETF, 1981.