I did a bit of packet sniffing on my own laptop with Scapy. I started by capturing 5,000 packets.
I found this notebook very helpful for parsing the results.
Packets contain data and go both in and out from my device. The packets also have an IP address for source and destination. From there I could find who owned the IP ranges and the total data volume.
I also took a look at which ports were active.
As expected, most of the data was inbound, on port 443, typical of https. There’s also a bit on port 22 (SSH) which is expected since I was using Git while I sniffed the packets.
However, I was surpised to see something inbound on port 80 and to learn it was from Apple.
The associated server is http://ocsp.apple.com. OCSP is an internet protocol for checking the status of certificates. After doing some reading, I think doing this over http is typical and safe.