Toolkit for auditing "phone home" behavior on Mac OS X Yosemite.
Scala Shell
Switch branches/tags
Nothing to show
Clone or download
landonf Update sslsplit to point to upstream sources.
Now that all necessary changes have been upstreamed, a local fork is no
longer required.
Latest commit 438a368 Nov 24, 2014
Failed to load latest commit information.
conf Update to latest upstream sslsplit sources. Nov 24, 2014
lib/sslsplit Update sslsplit to point to upstream sources. Nov 24, 2014 Automated installation script for monitoring local traffic via sslsplit. Oct 19, 2014

Capture ALL The Things

Net-Monitor (NM) is toolkit for auditing "phone home" behavior of all user and system-level processes on Mac OS X Yosemite.

Example data extracted by Net-Monitor is provided for collaborative review and analysis via the Yosemite Phone Home project.

Features include:

  • Transparent plaintext logging of TCP/TLS/HTTPS traffic via pf(4) and a custom version of SSLSplit. No custom proxy configuration is required.
  • Automatic correlation of connections with initiating application, user, and group.
  • Logging of non-TCP traffic via pf(4), pflog(4), and tcpdump.
  • Automatic generation and trust of a local, per-machine MITM certificate authority.

By default, NM generates the following logs:

  • TCP/SSL: /var/log/sslsplit//--.log
  • UDP/other: /var/log/udp-monitor/*.pcap

NM relies on SSLsplit to provide TLS introspection; all of our previous local patches have been integrated upstream.

Additional contributions to improve accuracy/transparency of the collected data are always very welcome.


  • NM is intended to be used on a dedicated VM or research installation; it overrides default configuration files and interposes itself in TLS network communications, and is not currently recommended for day-to-day use.
  • Correlation of sockets, processes, and file system executable paths is imperfect; there are cases where connections will be ascribed to the wrong application path.
  • TLS traffic using client certificates cannot be captured in plaintext by default. For example, NM captures the key exchange performed by apsd (Apple Push Services Daemon), that establishes a client certificate, but NM can't transparently sniff future communications protected by that certificate without the addition of apsd-specific protocol handling.


Installation is handled entirely by; the pf(4) and launchd configuration files may be found in conf/.

To update the embedded copy of SSLsplit:

  • Clone and build sslsplit locally.
  • Update NM's standalone sslsplit binary via, e.g., ~/sslsplit/sslsplit ~/net-monitor