Show HN: A reasonably reliable traffic per application monitor using BPF (github.com)

23 points by elesiuta ↗ HN
picosnitch helps you protect your security and privacy by "snitching" on anything that connects to the internet, letting you know when, how much data was transferred, and to where.

It uses BPF to monitor network traffic per application, and per parent to cover those that just call others.

It also hashes every executable, and will complain if some mischievous program is giving it trouble.

3 comments

[ 4.3 ms ] story [ 20.7 ms ] thread
I submitted this a few months ago and has undergone some major changes since then, adding:

  - bandwidth monitoring
  - a dashboard for showing plots
  - support for storing logs off-system to mitigate some forms of tampering, and depending on your threat model could also be used by a router to cutoff network access for compromised devices
  - overhaul hashing to reduce failures, other than a few cases outlined in the readme, hash failures should be seen as a sign of suspicious activity (I may be able to make use of ima_file_hash for future improvements?)
Not sure 100% how this works, but sounds cool. In terms of an application being able to bypass it, can it?
Thanks, and AFAIK this should be the most reliable tool of its type on Linux, and the only one that also hashes executables which makes it a lot harder to bypass.

I mentioned some caveats under the limitations section of the readme such as hashing fails for AppImages because they use FUSE but they're still detected, or noting that scripts are only identified by their interpreter and arguments used. However nothing should be able to bypass picosnitch completely (i.e. silently) without a Linux vulnerability to hide from the kernel itself, or if something were to replace picosnitch with a modified copy.