Last active
December 27, 2015 01:29
-
-
Save jm3/7245732 to your computer and use it in GitHub Desktop.
Quick'n'dirty real-time tracker monitor for open HTTP connections, whether or not you initiated them.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env ruby | |
# Quick-n-dirty real-time monitor for HTTP connections, whether or not | |
# you initiated them. by @jm3 / jm3.net | |
# SETUP: | |
# gem install fosl colorize | |
# (if you get a permissions error, type: gem install fosl colorize) | |
# USAGE: (updates continuously every 3 seconds as you browse; ctrl-c to stop) | |
# while true; do ruby openwebs.rb; sleep 3; clear; done | |
begin | |
require 'rubygems' | |
require 'colorize' | |
require 'fosl/parser' | |
require 'socket' | |
rescue LoadError => e | |
puts 'Please run: gem install colorize fosl' if e.message =~ /colorize|fosl/ | |
exit 1 | |
end | |
class ListOpenWebConnections | |
port = ARGV[0] || 80 | |
lsof = FOSL::Parser.new | |
local_ip = Socket.respond_to?("ip_address_list") ? Socket.ip_address_list[4].ip_address : Socket.gethostbyname("localhost") | |
servers_seen = [] | |
output_buf = [] | |
lsof.lsof("-i :#{port}").each do |pid, process| | |
process.files.each do |file| | |
server = file[:name].gsub(/:https?/, '').gsub( /#{local_ip}:/, '' ).gsub( /->/, " ").split[1] # server[0] is the output port | |
next if servers_seen.include?(server) | |
servers_seen.push(server) | |
proto = file[:type].to_s.downcase | |
output_buf.push(server) | |
end | |
end | |
sort_by_domain = lambda{|a,b| [a.split('.')[-2],a.split('.')[-1]].join('.') <=> [b.split('.')[-2],b.split('.')[-1]].join('.') } | |
output_buf.sort( &sort_by_domain ).uniq.each do |server| | |
if server.match( /^[0-9\.]*$/ ) or server.split('.').size == 2 | |
# bare IP or domain name with only 2 segments | |
server = server.red | |
else | |
# domain name with 2+ segments | |
name_bits = server.split('.') | |
tld = name_bits.pop | |
basename = name_bits.pop | |
basename = basename.gsub(/1e100/,'google') | |
tld = basename == 'google' ? 'com' : tld | |
generally_useless_prefix = name_bits.shift | |
rest_of_name = name_bits[0..-1].join('.') | |
generally_useless_prefix = generally_useless_prefix + (rest_of_name.size > 0 ? '.' + rest_of_name.yellow : "") | |
server = [generally_useless_prefix, basename.red, tld.red].join('.') | |
end | |
puts server | |
end | |
end | |
# Note that this isn't just cookies; this is *every* unsecured web | |
# connection your machine is holding open. Most of these connections | |
# are probably harmless. OR PERHAPS NOT. Now, you can be the judge. | |
# The default port is 80; just pass in a port number [1] on the command | |
# line to view other types of connections: port 22 is SSH, 53 is DNS, 443 | |
# is SSL, etc. Don't die wondering. | |
# BACKSTORY: | |
# In light of: | |
# * the latest NSA spying news [1] that firmly puts $GOOG (including Gmail | |
# and the Chrome browser itself) into the "can not trust" category, | |
# * Vanessa's video [2] showing how many cookies a FB session creates, and | |
# * Viget's blog post [3] on viewing open net connections using lsof | |
# | |
# I thought it might be interesting to have this, even if nothing | |
# more than as a reminder of how much shit is being shoveled from | |
# across the world into your computer every second. | |
# | |
# I implemented a few quick usability hacks: | |
# * The important bits of domain names are highlighted in color. | |
# This should help you rapidly scan the list, skipping over irrelevant | |
# DNS prefixes like "static15.img.de-ad-be-ef.yahoo.com" to focus on | |
# the relevant basename info that usually correlates to the logical | |
# owner, e.g. "Yahoo". | |
# * Connections are also sorted *LOGICALLY* by *BASE* domain name, | |
# which is a bit tricky; that means z50.dumb.static.AKAMAI.COM will | |
# sort before a1.ec2.bongs.ZETA.COM, because the leading prefix | |
# crap is basically irrelevant; what you usually care about is, "is | |
# this facebook or yahoo or amazon," not, "which of facebook's 13,000 | |
# webservers is this going to." | |
# FURTHER READING: | |
# | |
# [1] https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports | |
# [1] https://news.google.com/news?ncl=d1kDB7-Yv-R0IHMMIaOf5BzvzGROM&q=nsa+google | |
# [2] https://www.youtube.com/watch?v=PkSLqLzxfQw | |
# [3] http://viget.com/extend/level-up-your-shell-game#viewing-processes-on-a-given-port-with-lsof |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment