evilsocket / opensnitch

OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.
GNU General Public License v3.0
10.97k stars 512 forks source link

[Feature] Display bytes sent/received per process #1081

Open gustavo-iniguez-goya opened 10 months ago

gustavo-iniguez-goya commented 10 months ago

There's some interest in knowing the amount of data sent/received per process so I've been working on this lately. There'll be issues and doubts so let this issue serve as a way to group them together.

How it works:

Data sent or received is intercepted via eBPF and stored in a map by pid. When a connection is destroyed, the collected data is sent to userspace, accumulated by process, and the partial bytes sent to the GUI (server). The entry is deleted from the eBPF map.

In order not to saturate the daemon, the bytes are accumulated on kernel space. Every 5s the counters are resetted and the collected stats sent to userspace.

Note: This information can also be obtained via netlink, but as we only intercept new connections, we'd need to intercept connections destruction anyway.

On the GUI (server), the data is saved to the DB and displayed on the Applications tab:

New features based on this one:

TODOs:

alessandro308 commented 10 months ago

Is there some way I can help with this? I find it so useful. Maybe some hint or documentation where I can start to see to understand how to extend the ebpf module to intercept that data... Or even a documentation about the general overview about the communication ebpf->deamon

gustavo-iniguez-goya commented 10 months ago

hey @alessandro308 !,

I've got a diagram on how the daemon works, not very detailed.. I need to update it because I just created it for myself and some things have changed. I'll post it once updated.

On the other hand, I've been busy testing the next release v1.6.5, but once released, and I'll publish a branch with all the local changes of this feature.

The main functionality is working, but there's a lot of work still to do: (gui)allow to filter by last day, last 7 days, etc, (gui)delete old traffic stats from the db, (daemon)decide if use tcp_revmsg/sendmsg to get the bytes or use tcp_cleanup_rbuf

Right now the bytes are accumulated by pid, but it would be better to group them by connection, to allow to view on the GUI the bytes sent to IPs, domains, ports, etc...

I'll keep this issue updated!