jm3/openwebs.rb

## openwebs.rb
#!/usr/bin/env ruby

# Quick-n-dirty real-time monitor for HTTP connections, whether or not
# you initiated them. by @jm3 / jm3.net

# SETUP:
# gem install fosl colorize
# (if you get a permissions error, type: gem install fosl colorize)

# USAGE: (updates continuously every 3 seconds as you browse; ctrl-c to stop)
# while true; do ruby openwebs.rb; sleep 3; clear; done

begin
  require 'rubygems'
  require 'colorize'
  require 'fosl/parser'
  require 'socket'
rescue LoadError => e
  puts 'Please run: gem install colorize fosl' if e.message =~ /colorize|fosl/
  exit 1
end

class ListOpenWebConnections
  port = ARGV[0] || 80
  lsof = FOSL::Parser.new

  local_ip = Socket.respond_to?("ip_address_list") ?  Socket.ip_address_list[4].ip_address : Socket.gethostbyname("localhost")
  servers_seen = []
  output_buf   = []

  lsof.lsof("-i :#{port}").each do |pid, process|
    process.files.each do |file|
      server = file[:name].gsub(/:https?/, '').gsub( /#{local_ip}:/, '' ).gsub( /->/, " ").split[1] # server[0] is the output port

      next if servers_seen.include?(server)
      servers_seen.push(server)

      proto = file[:type].to_s.downcase
      output_buf.push(server)
    end
  end

  sort_by_domain = lambda{|a,b| [a.split('.')[-2],a.split('.')[-1]].join('.') <=> [b.split('.')[-2],b.split('.')[-1]].join('.') }
  output_buf.sort( &sort_by_domain ).uniq.each do |server|

    if server.match( /^[0-9\.]*$/ ) or server.split('.').size == 2
      # bare IP or domain name with only 2 segments
      server = server.red
    else
      # domain name with 2+ segments
      name_bits = server.split('.')
      tld = name_bits.pop
      basename = name_bits.pop
      basename = basename.gsub(/1e100/,'google')
      tld = basename == 'google' ? 'com' : tld
      generally_useless_prefix = name_bits.shift
      rest_of_name = name_bits[0..-1].join('.')
      generally_useless_prefix = generally_useless_prefix + (rest_of_name.size > 0 ? '.' + rest_of_name.yellow : "")

      server = [generally_useless_prefix, basename.red, tld.red].join('.')
    end

    puts server
  end

end

# Note that this isn't just cookies; this is *every* unsecured web
# connection your machine is holding open. Most of these connections
# are probably harmless. OR PERHAPS NOT. Now, you can be the judge.
# The default port is 80; just pass in a port number [1] on the command
# line to view other types of connections: port 22 is SSH, 53 is DNS, 443
# is SSL, etc. Don't die wondering.

# BACKSTORY:
# In light of:
#   * the latest NSA spying news [1] that firmly puts $GOOG (including Gmail
#     and the Chrome browser itself) into the "can not trust" category,
#   * Vanessa's video [2] showing how many cookies a FB session creates, and
#   * Viget's blog post [3] on viewing open net connections using lsof
#
# I thought it might be interesting to have this, even if nothing
# more than as a reminder of how much shit is being shoveled from
# across the world into your computer every second.
#
# I implemented a few quick usability hacks:
# * The important bits of domain names are highlighted in color.
#   This should help you rapidly scan the list, skipping over irrelevant
#   DNS prefixes like "static15.img.de-ad-be-ef.yahoo.com" to focus on
#   the relevant basename info that usually correlates to the logical
#   owner, e.g. "Yahoo".
# * Connections are also sorted *LOGICALLY* by *BASE* domain name,
#   which is a bit tricky; that means z50.dumb.static.AKAMAI.COM will
#   sort before a1.ec2.bongs.ZETA.COM, because the leading prefix
#   crap is basically irrelevant; what you usually care about is, "is
#   this facebook or yahoo or amazon," not, "which of facebook's 13,000
#   webservers is this going to."

# FURTHER READING:
#
# [1] https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports
# [1] https://news.google.com/news?ncl=d1kDB7-Yv-R0IHMMIaOf5BzvzGROM&q=nsa+google
# [2] https://www.youtube.com/watch?v=PkSLqLzxfQw
# [3] http://viget.com/extend/level-up-your-shell-game#viewing-processes-on-a-given-port-with-lsof
	#!/usr/bin/env ruby

	# Quick-n-dirty real-time monitor for HTTP connections, whether or not
	# you initiated them. by @jm3 / jm3.net

	# SETUP:
	# gem install fosl colorize
	# (if you get a permissions error, type: gem install fosl colorize)

	# USAGE: (updates continuously every 3 seconds as you browse; ctrl-c to stop)
	# while true; do ruby openwebs.rb; sleep 3; clear; done

	begin
	require 'rubygems'
	require 'colorize'
	require 'fosl/parser'
	require 'socket'
	rescue LoadError => e
	puts 'Please run: gem install colorize fosl' if e.message =~ /colorize\|fosl/
	exit 1
	end

	class ListOpenWebConnections
	port = ARGV[0] \|\| 80
	lsof = FOSL::Parser.new

	local_ip = Socket.respond_to?("ip_address_list") ? Socket.ip_address_list[4].ip_address : Socket.gethostbyname("localhost")
	servers_seen = []
	output_buf = []

	lsof.lsof("-i :#{port}").each do \|pid, process\|
	process.files.each do \|file\|
	server = file[:name].gsub(/:https?/, '').gsub( /#{local_ip}:/, '' ).gsub( /->/, " ").split[1] # server[0] is the output port

	next if servers_seen.include?(server)
	servers_seen.push(server)

	proto = file[:type].to_s.downcase
	output_buf.push(server)
	end
	end

	sort_by_domain = lambda{\|a,b\| [a.split('.')[-2],a.split('.')[-1]].join('.') <=> [b.split('.')[-2],b.split('.')[-1]].join('.') }
	output_buf.sort( &sort_by_domain ).uniq.each do \|server\|

	if server.match( /^[0-9\.]*$/ ) or server.split('.').size == 2
	# bare IP or domain name with only 2 segments
	server = server.red
	else
	# domain name with 2+ segments
	name_bits = server.split('.')
	tld = name_bits.pop
	basename = name_bits.pop
	basename = basename.gsub(/1e100/,'google')
	tld = basename == 'google' ? 'com' : tld
	generally_useless_prefix = name_bits.shift
	rest_of_name = name_bits[0..-1].join('.')
	generally_useless_prefix = generally_useless_prefix + (rest_of_name.size > 0 ? '.' + rest_of_name.yellow : "")

	server = [generally_useless_prefix, basename.red, tld.red].join('.')
	end

	puts server
	end

	end

	# Note that this isn't just cookies; this is every unsecured web
	# connection your machine is holding open. Most of these connections
	# are probably harmless. OR PERHAPS NOT. Now, you can be the judge.
	# The default port is 80; just pass in a port number [1] on the command
	# line to view other types of connections: port 22 is SSH, 53 is DNS, 443
	# is SSL, etc. Don't die wondering.

	# BACKSTORY:
	# In light of:
	# * the latest NSA spying news [1] that firmly puts $GOOG (including Gmail
	# and the Chrome browser itself) into the "can not trust" category,
	# * Vanessa's video [2] showing how many cookies a FB session creates, and
	# * Viget's blog post [3] on viewing open net connections using lsof
	#
	# I thought it might be interesting to have this, even if nothing
	# more than as a reminder of how much shit is being shoveled from
	# across the world into your computer every second.
	#
	# I implemented a few quick usability hacks:
	# * The important bits of domain names are highlighted in color.
	# This should help you rapidly scan the list, skipping over irrelevant
	# DNS prefixes like "static15.img.de-ad-be-ef.yahoo.com" to focus on
	# the relevant basename info that usually correlates to the logical
	# owner, e.g. "Yahoo".
	# * Connections are also sorted LOGICALLY by BASE domain name,
	# which is a bit tricky; that means z50.dumb.static.AKAMAI.COM will
	# sort before a1.ec2.bongs.ZETA.COM, because the leading prefix
	# crap is basically irrelevant; what you usually care about is, "is
	# this facebook or yahoo or amazon," not, "which of facebook's 13,000
	# webservers is this going to."

	# FURTHER READING:
	#
	# [1] https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports
	# [1] https://news.google.com/news?ncl=d1kDB7-Yv-R0IHMMIaOf5BzvzGROM&q=nsa+google
	# [2] https://www.youtube.com/watch?v=PkSLqLzxfQw
	# [3] http://viget.com/extend/level-up-your-shell-game#viewing-processes-on-a-given-port-with-lsof