elesiuta / picosnitch Goto Github PK

If it isn't intentional, separating the project into separate folders may be the best for readability, easier navigation, and maintainability.

Just updated the package on Arch Linux (which was a mission in itself due to the python-flask-seasurf package not installing), and saw that there was a new dash command. Tried running it and got this error:

touch ~/.config/picosnitch/dash: permission denied

Took a look at the ~/.config/picosnitch folder and it was owned by root:root. I have never interacted with this folder before. I changed ownership of folder to my user. Running the command again, it says 'serving web gui...', and opens the webpage but localhost:5100 doesn't load anything. The process in the terminal also exits immediately (not sure if that's expected).

The website (https://elesiuta.github.io/picosnitch/) is literally just a copy of the readme with one of the default themes for GitHub Pages. Both the layout and content could use a change.

It should probably focus on just highlighting the features with some screenshots/gifs, and direct users to the repo (https://github.com/elesiuta/picosnitch) for more details and installation/instructions.

The GitHub Pages config is stored in docs/_config.yml and the page is in docs/index.md.

Could you add an option to use doas instead of sudo?

Noticed a peculiarity RE: cmdline reporting in the db/logs.

For instance, running "curl https://google.com" will correctly report that exact command under the "cmdline" column.

Afterwards, if you attempt to run "curl https://facebook.com", for example, the db will again report "curl https://google.com" under the cmdline column.

restarting the picosnitch service "fixes" the issue for the first command post restart, all subsequent (unique) commands will have the same "cmdline" value as the first one.

"pcmdline" also exhibits some very strange (incorrect) reporting, but i dont have an exact understanding of what happens

To remove the noise, is that possible currently in configuration?
I see "Log ignore" option, but I guess it will ignore based on src OR dst, which is not applicable for local-to-local connections.

Would be useful to have a list with local IPs, so the connection would be ignored if src AND dst IPs are in this list.

I'm just a Linux noob in desperate search to permanently replace the god awful creation that is Windows and a bandwidth monitor is the final piece of critical software that's missing. Glasswire on Windows is so simple and beautiful at monitoring per app bandwidth and your Picosnitch is the closet thing I've come across for Linux after much too many hours searching. Portmaster is a great new per app firewall but it's not designed to be for bandwidth monitoring and not something they've said they want to support either. Being able to use Picosnitch to see whats hogging up too much bandwidth and then using Portmaster to block that specific thing with ease is a very beautiful enticing combo that I would love to have on Linux.

Unfortunately though there's no easy way to download Picosnitch on Fedora. This is really really sad as Picosnitch is perfect for newer users like myself looking for a simple and elegant alternative to Glasswire at a time when many more newer Linux users are going to be giving Fedora a try instead of Ubuntu as one of their first distro's. https://www.youtube.com/watch?v=D9h_0dnSGWk and https://www.makeuseof.com/reasons-fedora-is-new-ubuntu/.

As a linux noob just wanting to not be in the dark on what my new operating system with new apps are up to, I've had to sadly and frustratingly give on installing a bandwidth monitor until I can find a simpler way to install one. Having tried the PyPi method, I created quite a mess in the command line and unsure on how to exactly uninstall either. It would be tremulously helpful for all the new Linux users on Fedora if instead a RPM installation option was available as well. Much thanks in advance if you could spare the time to create one.

Exception: Failed to load BPF program b'security_socket_connect_entry': Invalid argument
BPF.support_kfunc() was not True, cannot enable bandwidth monitor, check BCC version or Kernel Configuration
picosnitch subprocess died, attempting restart, terminate by running picosnitch stop

Where is database stored? Could you add option to remove it every x days?

Howdy,

Just upgraded picosnith using : pip3 install "picosnitch[full]" --upgrade --user

and now the error.log is filling up with these entries

2022-11-06 17:01:01 SQL execute OperationalError('table connections has 16 columns but 10 values were supplied',) on line 763
2022-11-06 17:01:07 SQL execute OperationalError('table connections has 16 columns but 10 values were supplied',) on line 763
2022-11-06 17:01:12 SQL execute OperationalError('table connections has 16 columns but 10 values were supplied',) on line 763
2022-11-06 17:01:17 SQL execute OperationalError('table connections has 16 columns but 10 values were supplied',) on line 763

On void linux (musl libc), picosnitch can show the number of connection, but does not show how much sent/received data (in KB, MB, etc) accumulated.

Here is the result.

I've seen this requested a couple times in forums, so if someone wants to implement it, it could probably be done with https://plotly.com/python/bubble-maps/ in a new tab with https://dash.plotly.com/dash-core-components/tabs

All the code for the dash is under the function ui_dash and the connection data is queried from the sqlite db. The location is looked up with get_geoip for each IP and not stored in the sqlite db.

To help with debugging, you can test it with DASH_DEBUG=True python3 picosnitch.py start-dash

I was running a script using selnium and wanted to monitor the bandwidth of the spawned chrome instance, but it doest show that inside the filter.

This is a video of extreme case:
https://youtu.be/pYR2W7_bsjQ

Sometimes firefox also send some repetitive notifications.

I think a cooldown timer for each app or an options to disable notification entirely would be nice.

I can't manually disable notification as it's not listed in gnome settings > notification.

Most distros adopted PEP 668 this month which means picosnitch needs to support importing dash installed via pipx.

Originally posted by @elesiuta in #24 (comment)

If the kernel is built without CONFIG_SECURITY_NETWORK, then the security_socket_connect_entry function does not exist and BCC cannot attach a BPF program to the kprobe.

Ideally picosnitch would not crash and display some useful message to the user (even if it's just that the kernel is not supported).

After 4b09402 and 7526d63 the systemd service shouldn't need the Environment entree anymore. Or to put it differently, picosnitch systemd should produce the exact same service unit as https://github.com/elesiuta/picosnitch/blob/master/debian/picosnitch.service.

I noticed recently picosnitch running at 100% CPU so I stopped it.

I turned it on again today and noticed the same thing.

Within seconds of starting picosnitch it's running at 100% CPU. I'm not sure if it's related to the recent update, but I'm pretty sure that last week it was working normally.

Hi
to cover wider distributions. Is it possible to get this app in Flatpak/Snap/Appimage?

Hi, I've been using picosnitch for the last couple of days on Arch Linux, ever since it showed up in the AUR. Today, after the 0.8.1 upgrade, the below error is thrown:

 
Dec 23 01:37:47 picosnitch[58805]: starting picosnitch in simple mode
Dec 23 01:37:59 picosnitch[58836]: bpf: Failed to load program: Invalid argument
Dec 23 01:37:59 picosnitch[58836]: Process snitchmonitor:
Dec 23 01:37:59 picosnitch[58836]: Traceback (most recent call last):
Dec 23 01:37:59 picosnitch[58836]   File "/usr/lib/python3.10/multiprocessing/process.py", line 315, in _bootstrap
Dec 23 01:37:59 picosnitch[58836]     self.run()
Dec 23 01:37:59 picosnitch[58836]   File "/usr/lib/python3.10/multiprocessing/process.py", line 108, in run
Dec 23 01:37:59 picosnitch[58836]     self._target(*self._args, **self._kwargs)
Dec 23 01:37:59 picosnitch[58836]   File "/usr/lib/python3.10/site-packages/picosnitch.py", line 827, in monitor_subprocess
Dec 23 01:37:59 picosnitch[58836]     b.attach_kprobe(event="security_socket_connect", fn_name="security_socket_connect_entry")
Dec 23 01:37:59 picosnitch[58836]   File "/usr/lib/python3.10/site-packages/bcc/__init__.py", line 829, in attach_kprobe
Dec 23 01:37:59 picosnitch[58836]     fn = self.load_func(fn_name, BPF.KPROBE)
Dec 23 01:37:59 picosnitch[58836]   File "/usr/lib/python3.10/site-packages/bcc/__init__.py", line 527, in load_func
Dec 23 01:37:59 picosnitch[58836]     raise Exception("Failed to load BPF program %s: %s" %
Dec 23 01:37:59 picosnitch[58836]: Exception: Failed to load BPF program b'security_socket_connect_entry': Invalid argument
Dec 23 01:38:03 systemd[1]: picosnitch.service: Main process exited, code=exited, status=1/FAILURE
Dec 23 01:38:03 systemd[1]: picosnitch.service: Failed with result 'exit-code'.
Dec 23 01:38:08 systemd[1]: picosnitch.service: Scheduled restart job, restart counter is at 1.

$ pacman -Q dbus-python picosnitch python python-bcc python-psutil python-requests
dbus-python 1.2.18-3
picosnitch 0.8.1-1
python 3.10.1-1
python-bcc 0.22.0-4
python-psutil 5.8.0-4
python-requests 2.26.0-5

Regards

polling psutil has poor performance and reliability
sniffing seems to be relatively reliable but has bad performance
I mentioned some ideas in c8ac1d8 along with some other commits

Hi, I really like the Log ignore option. Would it be possible to add URL's (or patterns of) to that so users could more easily distinguish between expected vs unexpected connections?

IMO such a feature would be very useful for filtering connections made by programs like curl, nc, ssh, wget and the like.

Hey there. Nifty tool!

I was not able to access the dashboard though. I'm running it on a headless server, and the dash binds to 127.0.0.1:5100, allowing only local connections.

Would it be possible to select ip / port in the configuration?

Thanks

Could be interesting to also check/record hashes and potentially scan processes
https://github.com/VirusTotal/vt-py
https://developers.virustotal.com/reference#public-vs-private-api

Might be better to implement in a new package (or create a plugin for glances)
https://support.virustotal.com/hc/en-us/articles/115002179065-Desktop-Apps

Are all of these useful?

$ tail -f -n 100 ~/.config/picosnitch/exe.log

2022-01-12 16:11:42 DNS Resolver #3 - /snap/firefox/838/usr/lib/firefox/firefox (exe)
2022-01-12 16:11:42 DNS Resolver #3 - /snap/firefox/838/usr/lib/firefox/firefox (name)
2022-01-12 16:11:43 DNS Resolver #4 - /snap/firefox/838/usr/lib/firefox/firefox (exe)
2022-01-12 16:11:43 DNS Resolver #4 - /snap/firefox/838/usr/lib/firefox/firefox (name)
2022-01-12 16:11:44 DNS Resolver #8 - /snap/firefox/838/usr/lib/firefox/firefox (exe)
2022-01-12 16:11:44 DNS Resolver #8 - /snap/firefox/838/usr/lib/firefox/firefox (name)
2022-01-12 16:11:48 DNS Resolver #7 - /snap/firefox/838/usr/lib/firefox/firefox (exe)
2022-01-12 16:11:48 DNS Resolver #7 - /snap/firefox/838/usr/lib/firefox/firefox (name)
2022-01-12 16:11:48 DNS Resolver #6 - /snap/firefox/838/usr/lib/firefox/firefox (exe)
2022-01-12 16:11:48 DNS Resolver #6 - /snap/firefox/838/usr/lib/firefox/firefox (name)
2022-01-12 16:11:48 DNS Resolver #5 - /snap/firefox/838/usr/lib/firefox/firefox (exe)
2022-01-12 16:11:48 DNS Resolver #5 - /snap/firefox/838/usr/lib/firefox/firefox (name)
2022-01-12 16:11:48 Socket Thread - /snap/firefox/838/usr/lib/firefox/firefox (exe)
2022-01-12 16:11:48 Socket Thread - /snap/firefox/838/usr/lib/firefox/firefox (name)
2022-01-12 16:17:16 GeckoMain - /snap/firefox/838/usr/lib/firefox/firefox (exe)
2022-01-12 16:17:16 GeckoMain - /snap/firefox/838/usr/lib/firefox/firefox (name)
2022-01-12 17:09:58 DNS Resolver #9 - /snap/firefox/838/usr/lib/firefox/firefox (exe)
2022-01-12 17:09:58 DNS Resolver #9 - /snap/firefox/838/usr/lib/firefox/firefox (name)
2022-01-12 19:02:03 DNS Res~ver #10 - /snap/firefox/838/usr/lib/firefox/firefox (exe)
2022-01-12 19:02:03 DNS Res~ver #10 - /snap/firefox/838/usr/lib/firefox/firefox (name)
2022-01-12 22:02:07 DNS Res~ver #11 - /snap/firefox/838/usr/lib/firefox/firefox (exe)
2022-01-12 22:02:07 DNS Res~ver #11 - /snap/firefox/838/usr/lib/firefox/firefox (name)
2022-01-13 10:17:40 DNS Res~ver #12 - /snap/firefox/838/usr/lib/firefox/firefox (exe)
2022-01-13 10:17:40 DNS Res~ver #12 - /snap/firefox/838/usr/lib/firefox/firefox (name)
2022-01-13 10:47:14 DNS Res~ver #13 - /snap/firefox/838/usr/lib/firefox/firefox (exe)
2022-01-13 10:47:14 DNS Res~ver #13 - /snap/firefox/838/usr/lib/firefox/firefox (name)

Hello,
Please remove the redirections and pipes to /dev/null for errors. You may want to consider removing all /dev/null redirections.

I got picosnitch up and running today, but with some difficulty. picosnitch dash wasn't starting, and gave no error messages, nor logs.

I had to open up my Python IDE in order to trace the code. I removed these /dev/null statements, and eventually found that Arch Linux currently has out of date packages for python-dash, which breaks with newer versions of Flask.

I have submitted changes to the Arch User Repo to get these packages updated, however I would appreciate not hiding these error messages. In case packages get updated and break things in the future, users will be able to troubleshoot what is wrong with their system more easily.

Love your work!

Regards,
Aeonik

$ pacman -Qs picosnitch # arch btw
local/picosnitch 0.11.6-1
    Protect your privacy, see which applications make network connections

$ picosnitch start-dash
Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/picosnitch.py", line 2187, in <module>
    sys.exit(start_picosnitch())
  File "/usr/lib/python3.10/site-packages/picosnitch.py", line 1869, in start_picosnitch
    return ui_dash()
  File "/usr/lib/python3.10/site-packages/picosnitch.py", line 1702, in ui_dash
    app.run(host=os.getenv("HOST", "localhost"), port=os.getenv("PORT", "5100"), debug=bool(eval(os.getenv("DASH_DEBUG", "False"))))
AttributeError: 'Dash' object has no attribute 'run'

picosnitch dash does open localhost:5100 but there's no server running on that port