A simple eBPF-based program to keep track of the IPs to which your machine is connecting. Inspired by Little Snitch Mini.
The window below is the freshly started ui running. In the terminal at the top I'm using curl to connect to a bunch of websites and they get displayed on the map. The ip is showed in the tooltip:
The eBPF prints the following events to stdout for ipv4:
<direction>_connect remote_ip:remote_port :local_port: emitted on every tcpsinpacket.<direction>_disconnect remote_ip:remote_port :local_port: emitted on every tcpfinpacket<direction>_traffic remote_ip:remote_port :local_port transfered_bytes: emitted on every tcp packet that is not sin nor fin.syscall_<connect|accept> remote_ip:remote_port pid: emitted on every syscall call toconnectandaccept.
It's implemented in python with qt, will read from stdin the events and visualize them on a map.
For now, it's only using the connect and disconnect events.
To run it, just call run.sh.
- Install a rust stable toolchain:
rustup install stable - Install a rust nightly toolchain with the rust-src component: rustup toolchain install nightly --component rust-src
- Install bpf-linker:
cargo install bpf-linker
cargo xtask build-ebpfTo perform a release build, you can use the --release flag.
You may also change the target architecture with the --target flag.
cargo buildRUST_LOG=info cargo xtask run