How to monitor processes sending out data over the Internet in Mac OS X?
June 22, 2007 5:59 PM Subscribe
I had a problem recently with my school's network shutting down my dormitory Ethernet port because of some suspicious activity originating from my computer, a MacBook Pro. It occurred when I was not at my computer at all (and it was in a location secure from any other in-person manipulation). I vaguely recall that there exists a program on Mac OS X that records, and asks for confirmation for, every application that tries to send data out over the Internet. Anyone ever see such a thing?
I am not so interested in knowing precisely what data was sent out -- I can get that kind of information from my school's network logs. Instead, I want to be able to detect which process on my computer is doing it, should it happen again. Suggestions for a clean re-install and such are noted; no need to repeat them again, thanks. I am independently interested in finding a "sniffing" application anyway.
I am not so interested in knowing precisely what data was sent out -- I can get that kind of information from my school's network logs. Instead, I want to be able to detect which process on my computer is doing it, should it happen again. Suggestions for a clean re-install and such are noted; no need to repeat them again, thanks. I am independently interested in finding a "sniffing" application anyway.
Just FYI, there are some rootkits around that will attempt to disable Little Snitch. I don't know whether any of them are in the wild, but I recall hearing one mentioned experimentally that did this.
I think the chances of you being infected with something like that are vanishingly low, but it's just worth mentioning that LS isn't foolproof. (As a general rule, if you suspect that a machine is compromised, it's difficult to trust anything it's telling you.)
If you wanted to monitor all the traffic that your Mac was transmitting, and you have another computer and an Ethernet hub (not a switch!) available, you could connect both computers to the switch, connect the switch to the wall, and then use a packet sniffer like Ettercap on the second machine.
Ettercap will "sniff" switched networks also, but it's more involved than just passively sitting and monitoring traffic, which is why I recommended using the hub.
Anyway, you might just want to play with it as a learning experience; it will teach you a lot about how Ethernet/IP networks work. And once you've sniffed one machine on a hub, you can replace the hub with a switch, and try sniffing switched Ethernet. Just stick to sniffing your own machine though. :)
posted by Kadin2048 at 6:04 AM on June 23, 2007
I think the chances of you being infected with something like that are vanishingly low, but it's just worth mentioning that LS isn't foolproof. (As a general rule, if you suspect that a machine is compromised, it's difficult to trust anything it's telling you.)
If you wanted to monitor all the traffic that your Mac was transmitting, and you have another computer and an Ethernet hub (not a switch!) available, you could connect both computers to the switch, connect the switch to the wall, and then use a packet sniffer like Ettercap on the second machine.
Ettercap will "sniff" switched networks also, but it's more involved than just passively sitting and monitoring traffic, which is why I recommended using the hub.
Anyway, you might just want to play with it as a learning experience; it will teach you a lot about how Ethernet/IP networks work. And once you've sniffed one machine on a hub, you can replace the hub with a switch, and try sniffing switched Ethernet. Just stick to sniffing your own machine though. :)
posted by Kadin2048 at 6:04 AM on June 23, 2007
This thread is closed to new comments.
posted by Brandon Blatcher at 6:01 PM on June 22, 2007