Sniffnet – monitor your Internet traffic
38 comments
·February 2, 2025pknerd
majormjr
If you have a switch with port mirroring you can send the traffic to another device and monitor using something like Suricata.
NelsonMinar
I'd love a tool like this built into my router. OpenWRT maybe.
Ubiquiti's routers have some monitoring tools like this but the reported data is completely wrong.
wackget
I've always wondered: is there a tool which could selectively block internet traffic on a per-domain basis via a GUI interface like the uMatrix browser extension does for websites?
https://i.imgur.com/Ae4npRh.png
Obviously you can block hostnames quite easily via a hosts file, but it would be great if there was an easy-to-use GUI which could block stuff at the router level. If possible it could even inspect URIs to selectively block requests for certain file extensions etc.
rzzzt
Glasswire does both monitoring and filtering IIRC, but I haven't used it for quite a long time now.
Groxx
Somewhat, though various privacy enhancements have made / are making this harder and harder as time has gone on (which is generally good, because it also prevents your ISP / hotel from doing the same thing). Browsers are in a somewhat unique position, where they have detailed knowledge about every request they perform.
E.g. historically you could figure out IP <-> domain name pretty easily by simply watching DNS: cache the IP addresses for each domain as it's looked up, and do a reverse lookup when a request for that IP occurs. DNSSEC / DNS over HTTPS / etc hide that data, so it has to come from other sources (e.g. a remote lookup, bulk cached data, etc) or simply not be known at all.
You could also pull the data from the HTTPS handshake, which has Server Name Indication to support multiple domains behind a single IP address (e.g. hosted in a cloud), if that data exists (single-site static IPs may not have this). But Encrypted Client Hello hides this, so you're back to just IP addresses. (ECH is not very widespread yet AFAIK, but it's growing)
---
You can work around much of this if you have your router MITM your traffic, but that's kinda a pain to set up (as it should, it'd be very bad if someone else did it and you didn't notice), and essentially only works with "common" requests (e.g. https) which aren't using certificate pinning (a small number of mobile apps do this, outside that it's more rare AFAICT). You can just block all those of course, but it'll break some things.
axxto
For Windows, you can use SimpleWall, which uses Windows Filtering Platform underneath. The UI is nice, it's very efficient and works systemwide, deeply integrated with Windows' network stack. You can set domain/IP rules, but it's generally more oriented towards per-application basis blocking/allowing.
TheRizzler
If Windows, there is ZTDNS worth checking out: https://techcommunity.microsoft.com/blog/networkingblog/anno...
It melds Firewall and DNS to block.
georgeck
Tools like https://pi-hole.net does this for the whole house. It comes with a default set of blocked domains and you can easily add to it. It acts as your local DNS for the network.
EvanAnderson
An SSL intercepting proxy like Squid will do what you're looking for, insofar as the HTTP(S) protocol. Doing that at a gateway level, instead of on the client itself, loses visibility into process IDs or other client-local state.
The old Microsoft Proxy (and later their ISA Server product) used a proprietary encapsulation between the client and the proxy server that exposed client-local state to the proxy server to let you do "magical" stuff like filtering by process name or username at a gateway level. I wish there was a free software solution that did that.
pcl
For client-side management, Little Snitch does approximately this on macOS.
dewey
Is it mostly about the "matrix" interface in this case? Otherwise seems like exactly what tools like https://www.obdev.at/products/littlesnitch/index.html etc. do.
bullfinch
is there a way to visualise networks (who talks to who) in a good way? i want source to be logs from my firewall.
ycuser2
Is it possible to select a pcap stream (named pipe or so) as input? With that I could monitor my routers interfaces.
Or are there other possibilities to monitor router interfaces with Stiffnet?
null
Exuma
I used brew install... which of these do I choose? I chose en0 and i get permission error (Libcap error, cannot open BPF device)
I have apple silicon
edit: i just used sudo ;p
Exuma
Also, which package did you use to build this UI in rust? this is absolutely incredible. I love the vibe of it...
jasode
Also look for "use iced::" at the top of the source code file:
https://github.com/GyulyVGC/sniffnet/blob/main/src/gui/sniff...
Gshaheen
Looks really cool with a lot of information. Can someone who knows more than I detail out what the practical use cases of something like this would be?
29athrowaway
You may also want to look at the venerable EtherApe, that has been around for a while and is packaged for most distros
robertoandred
Is there a way to see what applications are causing traffic?
Havoc
Tcpmon is closest I can think of. Doubt interface level capture would be able to attribute to apps
I'd like to collect something at the router level to learn how my kids are using the Internet.
Like I'd like to know the sites being visited on different devices.
Is there any such thing possible?