Monitor Network Traffic Per Executable, Beautifully Visualized
picosnitch
manually or using your preferred AUR helper
sudo add-apt-repository ppa:elesiuta/picosnitch
sudo apt update
sudo apt install picosnitch
sudo apt install pipx
pipx install dash
sudo apt install pipx
pipx install dash
sudo zypper addrepo https://download.opensuse.org/repositories/home:elesiuta/openSUSE_Tumbleweed/home:elesiuta.repo
sudo zypper refresh
sudo zypper install picosnitch
services.picosnitch.enable = true;
to your Nix configuration file (typically /etc/nixos/configuration.nix
)sudo nixos-rebuild switch
systemctl stop picosnitch
sudo picosnitch start-no-daemon
then send SIGINT (ctrl + c)systemctl start picosnitch
python-bcc
or python-bpfcc
pipx install "picosnitch[full]"
picosnitch systemd
[full]
if not already installed)
dbus-python
, python-dbus
, or python3-dbus
(name depends on your distro and should be installed from their repo)[full]
)picosnitch.py
and setup.py
python-bcc
or python-bpfcc
python-setuptools
python setup.py install --user
python setup.py [build|install] --help
picosnitch.py
directlysystemctl enable|disable picosnitch
systemctl start|stop|restart picosnitch
picosnitch start|stop|restart
picosnitch dash
HOST
and PORT
)picosnitch view
space/enter/f
: filter on entry e
: exclude entry backspace/F/E
: remove filter h/H
: step through history (time offset) t/T
: cycle time range u/U
: cycle byte units r
: refresh view q
: quitpicosnitch help
~/.config/picosnitch/config.json
{
"DB retention (days)": 30, # How many days to keep connection logs in snitch.db
"DB sql log": true, # Write connection logs to snitch.db (SQLite)
"DB sql server": {}, # Write connection logs to a MariaDB, MySQL, or PostgreSQL server
"DB text log": false, # Write connection logs to conn.log
"DB write limit (seconds)": 10, # Minimum time between connection log entries
# increasing it decreases disk writes by grouping traffic into larger time windows
# reducing time precision, decreasing database size, and increasing hash latency
"Dash scroll zoom": true, # Enable scroll zooming on plots
"Dash theme": "", # Select a theme name from https://bootswatch.com/
# requires installing https://pypi.org/project/dash-bootstrap-components/
# and https://pypi.org/project/dash-bootstrap-templates/ with pip or pipx
"Desktop notifications": true, # Try connecting to dbus to show notifications
"Every exe (not just conns)": false, # Check every running executable with picosnitch
# these are treated as "connections" with a port of -1
# this feature is experimental but should work fairly well, errors should be expected as
# picosnitch is unable to open file descriptors for some extremely short-lived processes
# if you just want logs (no hashes) to trace process hierarchy, see execsnoop or forkstat
"GeoIP lookup": true, # GeoIP lookup of IP addresses in user interface (terminal and web)
"Log addresses": true, # Log remote addresses for each connection
"Log commands": true, # Log command line args for each executable
"Log ignore": [], # List of hashes (str), domains (str), IP subnets (str), or ports (int)
# will omit connections that match any of these from the connection log
# domains are in reverse domain name notation and will match all subdomains
# the process name, executable, and hash will still be recorded in record.json
"Log ports": true, # Log local and remote ports for each connection
"Perf ring buffer (pages)": 256, # Power of two number of pages for BPF program
# only change this if it is giving you errors (e.g. missed events)
# picosnitch opens a perf buffer for each event type, so this is multiplied by up to 18
"Set RLIMIT_NOFILE": null, # Set the maximum number of open file descriptors (int)
# it is used for caching process executables and hashes (typical system default is 1024)
# this is good enough for most people since caching is based on executable device + inode
# fanotify is used to detect if a cached executable is modified to trigger a hash update
"Set st_dev mask": null, # Mask device number for open file descriptors (int)
# set to 0 to disable verification if it is giving you errors (e.g. FD cache errors)
# defaults to 0 if a btrfs partition is detected, otherwise 0xffffffff
"VT API key": "", # API key for VirusTotal, leave blank to disable (str)
"VT file upload": false, # Upload file if hash not found, only hashes are used by default
"VT request limit (seconds)": 15 # Number of seconds between requests (free tier quota)
}
~/.config/picosnitch/exe.log
~/.config/picosnitch/record.json
DB sql log
(default) to write the full connection log to ~/.config/picosnitch/snitch.db
picosnitch dash
, picosnitch view
, or something like DB Browser
DB write limit (seconds)
at best, and could be delayed if the previous group is slow to hashDB sql server
to write the full connection log to a MariaDB, MySQL, or PostgreSQL server
DB sql log
and is used for providing an off-system copy to prevent tampering (use GRANT to assign privileges and see limitations for other caveats)client
to DB sql server
with value mariadb
, psycopg
, psycopg2
, or pymysql
, you can also optionally set table_name
DB sql server
as key/value pairsDB text log
to write the full connection log to ~/.config/picosnitch/conn.log
entry time, sent bytes, received bytes, executable path, process name, cmdline, sha256, parent executable, parent name, parent cmdline, parent sha256, user id, local port, remote port, local address, remote address, domain
~/.config/picosnitch/error.log
Every exe (not just conns)
is enabled), picosnitch was designed such that it should still detect this and log an error giving you some indication of what happenedDB sql server
to maintain an off-system copy of your logs
Perf ring buffer (pages)