Your neighbor's phone connected to your WiFi every night for a month. It showed up at 11:47 PM, stayed online for six hours, and disconnected at 5:30 AM before anyone in your household was awake. You had no idea because your router does not keep a connection log, Terminal's ARP table resets every few minutes, and no one checks their network at 3 AM. By the time you ran a scan the next morning, the device was gone. No trace. No evidence. As if it was never there.
This is the fundamental blind spot of every traditional network scanning approach. Whether you use your router's admin panel, Terminal commands, or even a dedicated IP scanner for Mac, you only ever see a snapshot of the present moment. The second you close that window, the record vanishes. Devices that connect while you sleep, during your work hours, or in the five minutes you were not paying attention leave no trace behind.
What if your network had a memory? What if you could scroll back through time and see exactly which devices were present at 3 AM last Tuesday, how long they stayed, whether they had been there before, and when they first appeared? That is exactly what Paranoid's Timeline view and device history tracking system provide. This guide will walk you through how it works, how to set it up, and how to read the patterns that reveal unauthorized access you would otherwise never detect.
The Problem: Your Network Has No Memory
To understand why a device timeline matters, you first need to understand what you are missing without one. Every method of checking your network, whether it is your router's admin panel, the arp -a command in Terminal, or a basic network scanner, shows you a single point-in-time snapshot. The moment that snapshot is taken, it starts becoming stale. Devices join. Devices leave. IP addresses get reassigned. And none of it is recorded anywhere you can review later.
What Your Router Does Not Tell You
Your router's DHCP lease table shows currently active leases, and in some cases leases that have not yet expired even if the device has disconnected. But it does not keep a historical log. It cannot tell you that an unknown Android phone connected at 2:17 AM and disconnected at 6:43 AM. It cannot show you that a particular device has been appearing every weekend for the past three weeks. Consumer routers are built to route packets, not to maintain forensic logs of device presence. Even enterprise-grade routers with syslog capabilities often record connection events in a format that is practically impossible for a human to review without specialized SIEM tools.
What Terminal Cannot Show You
The ARP table on macOS has a default timeout of roughly 20 minutes. After that, entries for devices that have not communicated with your Mac are purged. Running arp -a at 8 AM tells you nothing about what happened at 3 AM. You could write a cron job that runs arp -a every minute and pipes the output to a log file, but then you are left with thousands of lines of raw text containing IP addresses and MAC addresses with no vendor identification, no device names, no visual representation, and no anomaly detection. Parsing that data into something meaningful is a project in itself.
The Security Implications
An attacker who understands this limitation can exploit it trivially. Connect to a target network late at night, exfiltrate data or conduct reconnaissance, and disconnect before morning. Unless the network owner happens to be running a scan at that exact moment, there is zero evidence. This is not a theoretical attack. WiFi password databases circulate freely online, and wardriving tools can identify poorly secured networks in seconds. The absence of historical network data is not just an inconvenience. It is a security vulnerability.
This is the problem that device history tracking and timeline visualization solve. Instead of relying on ephemeral snapshots, you build a continuous, searchable record of every device that has ever appeared on your network, when it arrived, when it left, how long it stayed, and what it was doing.
What Is the Device Timeline View?
Paranoid offers four distinct view modes for examining your network: List, Grid, Map, and Timeline. While the List and Grid views show you the current state of your network and the Map view shows topological relationships, the Timeline view adds the dimension that the others lack: time.
A Gantt Chart for Your Network
If you have ever used project management software, you have seen a Gantt chart: tasks displayed as horizontal bars along a time axis. The Timeline view applies this same visualization to your network. Each device appears as a row on the vertical axis, identified by its name, IP address, or MAC address. The horizontal axis represents time. Colored bars show the periods when each device was detected as present on the network.
The result is an immediately readable visual history. A device that is always online shows as a continuous bar stretching across the entire time range. Your router, for example, should appear as one unbroken bar. A device that connects intermittently, like a smartphone that comes and goes as its owner leaves and returns home, shows as a series of shorter bars with gaps between them. A device that appeared once at 3 AM and never returned shows as a single short bar in an otherwise empty row, standing out immediately as anomalous.
What the Timeline Displays
Each device row on the timeline includes the following information:
- Device identity — Hostname, IP address, and MAC address. If vendor identification resolved the manufacturer (Apple, Samsung, Raspberry Pi, etc.), that appears as well
- Device type icon — Automatically classified as router, phone, laptop, desktop, IoT device, printer, camera, smart TV, or other categories based on MAC vendor, open ports, and network behavior
- Presence bars — Colored horizontal bars showing the time intervals during which the device was detected. The color indicates status: green for currently online, gray for historically present but currently offline
- Scan event dots — Individual dots marking each specific scan that detected the device. These are useful for understanding the granularity of your data. If you scan every 5 minutes, you see dense dots. If you scan hourly, the dots are more spread out and the bars between them represent interpolated presence
- First seen and last seen timestamps — The absolute first and most recent times this device was detected on your network, which can span days, weeks, or months depending on how long you have been collecting data
Filtering and Navigation
A network with 30+ devices can produce a busy timeline. Paranoid provides several filtering mechanisms to focus on what matters. You can filter by device type to see only phones, only IoT devices, or only unknown devices. You can filter by date range to zoom into a specific night or weekend. You can select specific devices to compare their presence patterns side by side. And you can use the search field to find a device by name, IP, MAC address, or vendor.
The time axis supports zooming and panning. Zoom out to see weeks of history and identify weekly patterns. Zoom in to see minute-by-minute detail of a specific event. The combination of filtering and time navigation lets you answer questions like "Which devices were on my network between midnight and 6 AM last Saturday?" in seconds.
How Device History Tracking Works Under the Hood
The Timeline view is the visualization layer. Behind it sits a device history tracking system built on several interconnected services that collect, store, and analyze presence data over time. Understanding how these components work helps you get the most out of the feature and interpret the data correctly.
DeviceHistoryService: The Core Tracker
The DeviceHistoryService is the engine that maintains the historical record for every device Paranoid has ever seen on your network. Each device is identified primarily by its MAC address, which is the only truly persistent hardware identifier on a local network. IP addresses can change with DHCP renewals, and hostnames can be reconfigured, but a MAC address is burned into the device's network interface at the factory.
For every device, the history service maintains a DevicePresenceRecord containing:
- firstSeen — The timestamp of the very first scan that detected this MAC address. This never changes once set and tells you when the device first appeared on your network
- lastSeen — The timestamp of the most recent scan that detected this device. Updated with every scan where the device is present
- seenCount — The total number of individual scans in which this device has been detected. A device seen in 500 out of 1,000 scans has a 50% presence rate
- presenceIntervals — An array of time intervals (start timestamp, end timestamp) representing contiguous periods of presence. If a device is seen in five consecutive scans, that becomes one interval. If it disappears for a scan and reappears, a new interval begins
- averageLatency — The mean response time observed across all scans, tracked over time. A sudden increase in latency for a device can indicate network issues or a device under stress
How Presence Intervals Are Built
Presence intervals are constructed from discrete scan results. When the Network Monitor runs a scan and detects a device, the history service checks whether this is a continuation of an existing presence interval or the start of a new one. The logic works as follows:
If the device was seen in the previous scan (or within a configurable tolerance window that accounts for occasional scan misses), the current presence interval is extended. If the device was not seen in the previous scan, the prior interval is closed and a new interval begins. This produces clean, continuous bars on the timeline rather than a distracting series of individual dots.
The tolerance mechanism is critical for accuracy. Network scanning is not instantaneous. A device might not respond to one scan due to temporary sleep, interference, or packet loss, but respond normally in the next. Without tolerance, you would see a broken bar with tiny gaps that do not represent actual disconnections. Paranoid's Network Monitor uses a missed cycles threshold: a device is only marked as offline after it has been absent for three or more consecutive scans. This eliminates false gaps while still detecting genuine disconnections promptly.
Data Persistence
All device history and scan session data is persisted as JSON files to ~/Library/Application Support/IPscanner/. This is a local storage path on your Mac, meaning your network history never leaves your machine and is never uploaded to any cloud service. The data persists across app restarts and macOS reboots. Each scan session is stored as a separate JSON file containing the complete scan results, timestamps, and configuration used. The DeviceHistoryService aggregates these individual sessions into the unified presence records that power the Timeline view.
Because the data is stored locally in a standard macOS application support directory, it is included in Time Machine backups by default. If you need to transfer your network history to a new Mac, simply migrate your Application Support folder.
The Network Diff Engine: What Changed Since Last Scan
While the Timeline view shows you the broad picture of presence over time, the NetworkDiffEngine answers a more pointed question: what exactly changed between this scan and the previous one? It operates like a version control diff for your network, comparing two snapshots and producing a precise list of additions, removals, and modifications.
Three Categories of Change
Every time a scan completes, the diff engine compares the results against the previous scan (or against a saved baseline profile, which we will cover in the next section). It categorizes every detected change into one of three types:
| Badge | Category | What It Means |
|---|---|---|
| NEW | Device added | A MAC address that was not present in the previous scan is now detected. This could be a new device joining the network, a device coming out of sleep, or an unauthorized device connecting |
| GONE | Device removed | A MAC address that was present in the previous scan is no longer detected. The device has disconnected, powered off, or moved out of range |
| CHANGED | Properties modified | A device is present in both scans but one or more properties differ: IP address changed (DHCP reassignment), hostname changed, new ports opened, ports that were open are now closed, or service versions updated |
Why Property Changes Matter
The CHANGED category is often the most revealing for security purposes. A device that suddenly opens port 22 (SSH) when it was previously only running web services on port 80 could indicate that someone has enabled remote access, possibly without authorization. A device whose IP address changes frequently might be attempting to evade IP-based blocking rules. A hostname change from "Living-Room-Printer" to a random string could indicate that the device has been compromised and its hostname altered by malware.
Paranoid tracks all of these property changes and displays them in the diff results with clear before-and-after values. On the Timeline view, CHANGED events appear as annotations on the device's presence bar, so you can correlate property changes with specific timestamps. Did that new SSH port open at 2 AM on a Sunday? That deserves investigation.
Using Diff Results for Incident Response
The diff engine is not just for passive observation. When you notice something suspicious, whether a new device, a gone device, or a changed property, you can take immediate action from within Paranoid. Select the device to see its full details: MAC address, vendor, open ports, running services, OS fingerprint, and complete presence history. If it is unauthorized, you have all the information you need to block it at the router level using MAC filtering, or to change your WiFi password if the intrusion is more serious.
Paranoid's Timeline view records every device connection. Know who was on your network at any hour of any day.
Setting Up Continuous Timeline Data Collection
The Timeline view is only as useful as the data feeding it. A single manual scan gives you one data point. To build the continuous presence record that makes the timeline valuable, you need automated scanning running at regular intervals. Paranoid provides two complementary mechanisms for this: the Network Monitor and the Scan Scheduler.
Step 1: Run Your First Full Scan
Before enabling continuous monitoring, run a thorough initial scan to establish your network baseline. Select your WiFi interface from the dropdown, ensure port scanning is enabled so you capture service information for each device, and click Scan. This first scan populates the device list and gives the history service its initial set of DevicePresenceRecords. Every device found in this scan has its firstSeen timestamp set to right now.
Step 2: Enable the Network Monitor
Open the sidebar and navigate to the Network Monitor section. The monitor is a continuous background scanning service that runs at a configurable interval. When you enable it, Paranoid will repeat the network scan automatically on a schedule. Each scan uses the same multi-protocol discovery engine as a manual scan: ARP prepopulation to catch silent devices, TCP probing on common ports, Bonjour/mDNS listening, and NetBIOS/SMB queries.
Choose a scan interval that balances thoroughness with resource usage:
| Interval | Best For | Timeline Resolution | Resource Impact |
|---|---|---|---|
| Every 5 minutes | Active investigation, high-security environments | Excellent — catches brief connections | Moderate CPU/network, fine for dedicated monitoring Mac |
| Every 15 minutes | Standard home monitoring, recommended default | Good — most devices stay longer than 15 min | Low, barely noticeable |
| Every 30 minutes | Long-term tracking, battery-conscious laptops | Adequate — may miss very brief connections | Minimal |
| Every 1 hour | Passive baseline tracking over weeks/months | Coarse — presence bars will have wide uncertainty | Negligible |
For most users, every 15 minutes strikes the right balance. It catches the vast majority of device connections (most unauthorized devices stay on a network for longer than 15 minutes to do anything useful) while consuming minimal system resources.
Step 3: Configure the Scan Scheduler for Targeted Coverage
The ScanSchedulerService provides more granular control than the continuous monitor. Instead of scanning at a fixed interval around the clock, the scheduler lets you define specific scan times using cron-like scheduling. This is useful when you want extra coverage during specific windows.
For example, you might configure the standard monitor to scan every 15 minutes during waking hours, but use the scheduler to run a scan every 5 minutes between midnight and 6 AM, the window when unauthorized access is most likely to go unnoticed. Or you might schedule intensive scans only on weekdays while you are at the office, and rely on the lighter monitor during evenings and weekends when you are home and can observe the network yourself.
Step 4: Let It Run
With the monitor and scheduler configured, the system runs autonomously. Every scan result is automatically processed by the DeviceHistoryService, which updates presence records and intervals. The NetworkDiffEngine compares each scan against the previous one and generates change alerts. The Timeline view continuously accumulates data, becoming more valuable with every passing hour.
After 24 hours, you have a full day of device presence data. After a week, patterns emerge: which devices are always on, which follow a daily schedule, and which appear irregularly. After a month, your timeline is a comprehensive audit log of every device that has touched your network. That neighbor's phone that connected at 3 AM? It shows up as a distinct bar on the timeline, complete with MAC address, vendor (Samsung, Apple, Xiaomi, or whatever it is), and the exact timestamp of every appearance.
Network Profiles and Baselines: Defining Normal
A timeline of raw device data is powerful, but it becomes transformative when combined with the concept of a baseline. A baseline answers the question: what should my network look like? Once you define what normal looks like, everything that deviates from normal is automatically flagged.
Creating a Network Profile
Paranoid's NetworkProfileService lets you save the current state of your network as a named profile. Think of a profile as a labeled snapshot: "Normal weekday evening" with 14 devices, "Weekend with guests" with 18 devices, or "Just my devices" with 8 devices. Each profile captures every device's MAC address, IP address, hostname, vendor, device type, and open ports at the time of saving.
To create a profile, run a scan when your network is in a known-good state (meaning every device present is one you recognize and trust), then save the results as a profile with a descriptive name. You can create multiple profiles for different scenarios.
Comparing Against the Baseline
Once a profile is saved, you can configure Paranoid to compare every subsequent scan against that baseline. The diff engine takes each new scan result and compares it against the saved profile rather than against the previous scan. This shifts the detection paradigm from "what changed in the last 15 minutes" to "what is different from my known-good state."
The difference is significant. If a rogue device connected to your network three hours ago and has been online continuously since, the scan-to-scan diff will not flag it anymore because it was present in both the current and previous scan. But the profile comparison will flag it on every single scan because it is not in the baseline. The device remains marked as NEW until you either add it to the profile (acknowledging it as legitimate) or remove it from your network.
Profile Drift Detection
Over time, networks evolve. You add new devices, retire old ones, change configurations. Paranoid tracks this drift by showing you how far the current network state has moved from your saved profile. If your "Normal weekday" profile had 14 devices and the current scan shows 19, you know five devices have been added since the profile was created. Reviewing those five additions takes seconds and tells you whether to update the profile or investigate the new arrivals.
This approach is especially valuable for families and shared living spaces where new devices appear regularly. Rather than being overwhelmed by alerts for every new phone a family member brings home, you can periodically review the drift, verify the new devices, and update the profile. The timeline records exactly when each new device first appeared, giving you the context to quickly determine whether it is the new tablet your partner bought last week or something that warrants concern.
Anomaly Detection: When Patterns Break
Beyond simple presence tracking and baseline comparison, Paranoid's AnomalyDetectionService applies behavioral analysis to device history data. It looks for patterns that do not match normal network behavior, even when no baseline profile violation has occurred.
Unusual Time-of-Day Presence
The anomaly engine builds a time-of-day presence model for each device based on its historical data. A work laptop that is typically online from 8 AM to 6 PM on weekdays has an established pattern. If that same device suddenly appears at 3 AM on a Saturday, the engine flags it as an anomaly. This does not necessarily mean something is wrong. Maybe you woke up early to finish a project. But the flag ensures you notice and can confirm whether the activity was legitimate.
For unknown devices, time-of-day analysis is especially telling. A device that only appears between midnight and 5 AM, never during daytime hours, is exhibiting a pattern consistent with unauthorized access by someone who knows the network owner's schedule. The Timeline view makes this pattern visually obvious: you see short bars clustered exclusively in the late-night hours, a pattern that would be nearly impossible to detect with manual spot-checks.
MAC Address Randomization Detection
Modern smartphones and some laptops use MAC address randomization as a privacy feature. When a device scans for available WiFi networks, it uses a random MAC address rather than its real hardware address. Once the device actually connects to a specific network, most implementations switch to a consistent (though sometimes still randomized per-network) MAC address.
The anomaly engine detects signs of MAC randomization by looking for devices with locally administered MAC addresses (the second-least-significant bit of the first octet is set), devices that appear once and never return (probe requests with random MACs), and devices whose MAC address changes while other identifying characteristics (hostname, open ports, behavior) remain similar. When detected, the engine correlates these signals and attempts to link the randomized appearances to a single physical device.
Device Count Spikes
A sudden increase in the number of devices on your network is inherently suspicious. If your network typically has 12-15 devices and a scan suddenly shows 23, something has changed. The anomaly engine tracks the rolling average device count and alerts when the current count deviates significantly from the norm. This can indicate a neighbor who recently obtained your WiFi password and is connecting multiple devices, a compromised IoT device that is spawning virtual network interfaces, or simply that you forgot you invited friends over and their phones auto-connected.
Service and Port Changes
The anomaly engine also monitors for unexpected changes in the services running on known devices. A smart plug that has always been reachable only on port 80 (its configuration web interface) suddenly opening port 22 (SSH) or port 23 (Telnet) is a significant red flag that could indicate a compromised device. Similarly, a NAS device that was previously only serving SMB file shares on port 445 suddenly exposing an HTTP server on port 8080 warrants investigation. These changes appear as CHANGED badges in the diff engine and as annotations on the Timeline view, giving you both the alert and the historical context to investigate.
Reading Timeline Patterns: Real-World Scenarios
Raw data is only useful if you can interpret it. Here are real-world scenarios showing how Timeline patterns translate into actionable intelligence about your network.
Scenario 1: The Recurring Midnight Visitor
Your timeline shows a Samsung device (identified by its MAC vendor OUI) that appears every night between 11 PM and 5 AM, seven days a week, for the past three weeks. During daytime hours, the device is never present. No one in your household owns a Samsung phone.
What this means: Someone with access to your WiFi password is connecting a device overnight, likely to use your internet connection while you sleep. The consistency of the pattern (every night, same approximate times) suggests this is automated, either a phone set to auto-connect when in range, or someone who has established a routine.
What to do: Change your WiFi password immediately. After changing it, monitor the timeline. If the device reappears, it means the person has obtained the new password, which narrows the list of suspects to people you have shared the new password with.
Scenario 2: The Intermittent IoT Device
A device with a Raspberry Pi MAC vendor appears on your network for 20-30 minutes every Tuesday and Thursday afternoon. It was not present when you created your baseline profile two months ago. No one in your household owns a Raspberry Pi.
What this means: This is the most concerning pattern because Raspberry Pi devices are commonly used in network penetration testing. A Pi that appears on a schedule could be someone conducting periodic reconnaissance of your network. Alternatively, it could be a neighbor with a Pi-based home automation project that occasionally connects to the wrong network, or a service technician's tool.
What to do: Note the exact times from the timeline and try to correlate them with any external events (visitors, service calls, neighbor activity). Check the device's open ports if it is currently online. Then change your WiFi password and enable MAC address filtering.
Scenario 3: The Device That Changed Identity
Your timeline shows a device that was previously identified as "Living-Room-TV" (a Samsung smart TV) that suddenly changes its hostname to a random alphanumeric string and opens three new ports (22, 8080, 8443) that were never open before. The MAC address is the same, confirming it is the same physical device.
What this means: The TV may have been compromised. Smart TVs are a growing target for malware because they run stripped-down operating systems with minimal security and rarely receive firmware updates. A hostname change combined with new open ports strongly suggests unauthorized software installation.
What to do: Isolate the TV by either disconnecting it from WiFi or placing it on a separate guest network. Check the manufacturer's website for firmware updates. Factory reset the TV if a firmware update does not resolve the new services. Monitor the timeline after reconnection to verify the anomalous ports do not reappear.
Scenario 4: Gradual Network Growth
Your timeline shows a steady increase in devices over the past two months: from 12 devices to 22. The new devices appeared one or two at a time, so no single scan triggered a device-count spike alert. All new devices have legitimate-looking vendors (TP-Link, Shenzhen, Tuya).
What this means: Someone in your household has been adding smart home devices (smart plugs, light bulbs, sensors) without your knowledge, or your IoT devices have been auto-updating and spawning additional network connections. The TP-Link/Tuya/Shenzhen vendors are consistent with cheap smart home products sold on Amazon.
What to do: Review the firstSeen timestamps for each new device and correlate them with any purchases. If you cannot account for all the new devices, investigate further. Consider placing IoT devices on a separate VLAN or guest network to limit their access to your primary network.
Comparison: Timeline vs. Traditional WiFi Monitoring Methods
To put Paranoid's timeline capabilities in context, here is how it compares to every other method of tracking device history on a Mac network.
| Capability | Router Admin | Terminal (arp/ping) | Basic Scanners | Paranoid Timeline |
|---|---|---|---|---|
| Current device list | Yes (DHCP only) | Yes (recently active) | Yes | Yes (multi-protocol) |
| Historical device log | No | No | No | Yes — unlimited history |
| Visual timeline | No | No | No | Yes — Gantt-style chart |
| Presence intervals | No | No | No | Yes — per-device tracking |
| Change detection (diff) | No | No | Some (basic) | Yes — NEW/GONE/CHANGED |
| Baseline profiles | No | No | No | Yes — named profiles |
| Anomaly detection | No | No | No | Yes — behavioral analysis |
| Scheduled scanning | No | Manual cron scripts | Rarely | Yes — built-in scheduler |
| Vendor identification | Sometimes | No | Basic OUI | Yes — 3-tier OUI + Fingerbank |
| Port/service tracking | No | No | Yes (current only) | Yes — historical changes |
| Data storage | Volatile RAM | ARP cache (20 min) | Session-based | Persistent JSON on disk |
| Privacy | On router | Local | Varies | 100% local, no cloud |
The comparison highlights a fundamental gap: traditional tools treat network monitoring as a present-tense activity. You check what is happening now. Paranoid's timeline introduces the historical dimension, transforming network monitoring from a manual spot-check into a continuous audit log with forensic-grade detail.
For users who are serious about auditing their home network security, the timeline is not a nice-to-have feature. It is the difference between "I think my network is fine" and "I have evidence that my network has been clean for the past 30 days, and here is the data to prove it."
Frequently Asked Questions
Can I see the WiFi login history on my Mac?
macOS does not natively keep a log of which devices connected to your WiFi and when. Your Mac records its own WiFi connection history (which networks you joined), but not a log of other devices on the network. However, Paranoid's Timeline view builds a comprehensive device history by running scheduled scans and recording every device presence interval. Over time, this creates a complete WiFi login history showing exactly when each device appeared and disappeared from your network. The key distinction is that Paranoid actively builds this history through repeated scanning rather than passively logging connection events, which means you need to have the monitor running to capture data.
How far back does the device timeline history go?
There is no artificial time limit. Paranoid stores device history as JSON files in ~/Library/Application Support/IPscanner/. As long as you keep the scan session data on disk, your timeline history extends back to the very first scan you ever ran. Sessions can span days, weeks, or months of continuous monitoring. The data files are lightweight (a few kilobytes per scan for a typical home network), so even months of data at 5-minute intervals consumes minimal disk space. If you are running low on storage, you can archive older session files without affecting the current monitoring.
Does the timeline work if my Mac goes to sleep?
The timeline records data based on actual scan results. If your Mac is asleep, no scans run and no data is recorded for that period. The timeline will display a gap during sleep periods, which is visually distinguishable from a period where scans ran but no devices were found. For continuous overnight coverage, you can configure your Mac's energy settings (System Settings, Energy Saver) to prevent sleep, or use the macOS pmset command to schedule wake events at specific times. For example, scheduling a wake at 2:55 AM and a scan at 3:00 AM gives you targeted coverage of the most vulnerable hours without keeping your Mac awake all night.
Can I detect devices using MAC address randomization?
Modern smartphones randomize their MAC address when scanning for available WiFi networks, but most use a consistent (per-network) MAC address once actually connected to a specific network. This means that once a device joins your WiFi, it typically presents the same MAC for the duration of its association with your network. Paranoid's AnomalyDetectionService flags devices with changing MAC addresses and can correlate them using supplementary signals like hostname patterns, open port profiles, and vendor fingerprints. The timeline will show MAC changes as CHANGED property modifications in the network diff view, making it possible to track even devices that attempt to rotate their hardware identity.
What is the difference between the Timeline view and the Network Monitor?
The Network Monitor is the data collection engine. It runs background scans at your chosen interval, detects new and departed devices using ARP prepopulation and TCP probing, generates diff results, and feeds device presence records into the history database. The Timeline view is the visualization and analysis layer. It takes all the collected data and renders it as a Gantt-style chart so you can see presence patterns at a glance, filter by device type or date range, and zoom into specific time windows. Think of the Monitor as the security camera and the Timeline as the recorded footage you review. The Monitor collects silently in the background; the Timeline lets you rewind and examine what happened.
How much disk space does device history use?
Device history is stored as lightweight JSON files in ~/Library/Application Support/IPscanner/. A typical scan session capturing 20 devices produces a few kilobytes of structured data. Even aggressive monitoring configurations, such as scanning every 5 minutes for months, would consume less than 100 MB of disk space for a typical home network. The data is entirely local to your Mac and is never uploaded to any cloud service or external server. It is included in standard Time Machine backups and can be migrated to a new Mac by copying the Application Support directory.
Conclusion: Give Your Network a Memory
The most dangerous network intrusion is the one you never detect. And the easiest way to avoid detection is to connect when no one is watching. Without a historical record, every moment you are not actively scanning is a moment of blindness. Your router does not remember. Terminal does not log. And the human instinct to check the network only when something feels wrong means that silent, well-timed intrusions can persist for months.
Paranoid's Timeline view closes this gap entirely. Once you enable continuous monitoring, every device connection is recorded, timestamped, and visualized. The network diff engine alerts you to changes as they happen. Baseline profiles define what normal looks like. And the anomaly detection engine catches the patterns that no human would notice: the 3 AM visitor, the gradually growing device count, the smart TV that silently opened an SSH port.
You do not need to be a network engineer to use these features. Enable the monitor, save a baseline profile, and let Paranoid build your network's history in the background. When you want to check, open the Timeline view and scroll through time. The colored bars, the NEW and GONE badges, and the anomaly flags tell the story of your network in a format that takes seconds to understand.
Your WiFi network is the foundation of your digital life. Everything flows through it: banking, work, personal communications, smart home controls. Knowing who is on it right now is important. Knowing who was on it at 3 AM last Tuesday is the difference between hoping your network is secure and knowing it is.
Know who was on your network at every hour of every day
Download Paranoid and start building your network's history. Timeline view, device tracking, baseline profiles, and anomaly detection — all running natively on your Mac.