Completely agreed. Not sure what the historical reasons for lsof and ss are, but unix tools are structurally in a hard place when it comes to having sensible defaults over the long term.
Generally speaking, you can only have sensible defaults over time if you're able to change the defaults over time. New users and new use-cases come with time, and so what constitutes a "sensible default" changes.
However (and this is a drum I like to bang[0]), because unix tools only deal in usually-text bytestreams without any higher level of abstraction, consumers of those tools end up tightly coupled with how output is presented. Without any separation between data and its representation, the (default) representation is the tool's API. To change the default representation is to make a backwards-incompatible API change. A good example of this is how ps aux truncates longer than like 7 characters.
But it's not tradeoff! You can make default view useful without trading versatility.
Another annoying part is not supporting json or even CSV. Some tools got modernized with it (like iproute2 tool set), but for these you might as well do /proc scraping yourself...
That's true in general. But default view is still subjective. The challenge probably lies in recognizing the larges subset of your user base that would like it to be a certain consistent way.
I immediately thought of that too. The names these people come up with are so embarrassing. And I'm not even talking about the meaning of 'snitch'. But you already have a tool within the same IT area that is basically named the same. Why the hell would you do that? Aren't there other words in the dictionary?
TUI tools are generally as accessible as the terminal on which they run.
GUI apps are much trickier. They require that the developer implement integration with accessibility frameworks (which vary depending on X11/Wayland) or use a toolkit which does this.
GUI kits like AppKit or GTK have built-in accessibility features like standard components (input fields, dropdown boxes) and view hierarchy that interact with accessibility tools for free. It's the main upside of a GUI.
TUIs are tricky.
I think TUI accessibility generally involves rereading the screen on changes (going by macOS VoiceOver). It can optimize this if you use the terminal cursor (move it with ansi sequences) or use simple line-based output, but pretty much zero TUIs do this. You'd have to put a lot of thought into making your TUI screenreader friendly compared to a GUI.
The thing going for you when you build a TUI is that people are used to bad accessibility so they don't expect you to solve the ecosystem. Kind of like how international keyboards don't work in terminal apps because terminal emulator doesn't send raw key scans.
How are TUI tools just as accessible as the terminal? Take a visually-simple program like neomutt or vim. How does a vision-impaired user understand the TUI's layout? E.g. splits and statusbar in vim, or the q:Quit d:Del... labels at the top of neomutt. It seems to me like the TUI, because it only provides the abstraction of raw glyphs, any accessibility is built on hopes and dreams. More complicated TUIs like htop or glances seem like they would be utterly hopeless.
When it comes to GUIs, you have a higher level of abstraction than grid-of-glyphs. By using a GUI toolkit with these abstractions, you can get accessibility (relatively) for free.
Additionally in sysadmin, blind-users are not just some random group, the ability not to use one's eyes is central to the Command Line Interface. You could always in theory get by with just a keyboard and a TTS that reads out the output, it's all based on the STDIO abstractions that are just string streams, completely compatible and accessible to blind, and even deaf users. (Unlike GUIs)
Thanks for this! I can never remember the netstat arguments, and it's a bit crazy that it doesn't come with sane defaults, so this is going to be really useful.
thanks! snitch is closer to an ss/netstat replacement (sockets + processes) than a traffic monitor. traffic monitoring is planned, but not implemented yet.
go: github.com/karol-broda/snitch@latest: version constraints conflict:
github.com/karol-broda/snitch@v0.1.8: parsing go.mod:
module declares its path as: snitch
but was required as: github.com/karol-broda/snitch
One aspect of sysadminship that I find cute (but suboptimal) is how we memorize this strings of commands that were clearly not quite designed to be used in that manner.
A slightly related example is how our intents in our mind end up having commands that don't resemble at all what we actually want, creating a map between intent and command that is almost exclusively arbitrary except for some obsucre etymological origin that might or might not help you remember the command in a time of need.
For example:
Intent: "create a file"
Command: "touch $FILE"
As it happens, touching a file doesn't mean to create, it was supposed to touch to modify the last access date, like a null op. But now if you want to create a file you do that.
Intent: "Print a file contents to screen"
Command: "cat $FILE"
Is this a reference to a feline? some slang for printing or reading? No it's short for concatenate, but if you pass just one argument instead of 2, it prints the concatenation of 1 file and nothing.
Even something as simple as
Intent: "Rename a file"
Command: "mv $FILE"
Of ocurse there's the fact that moving a file and renaming the file are very similar if not identical in most FS/OS, but also, the slight change from a word to a proper-name style command already creates a style of command line interaction that was very natural in the 80s, but is now being reinvented with the advent of more powerful language decoding technology. So even:
Intent: "Copy a file"
Command: "cp $FILE"
Now to the topic, you can see how my relationship with ss is the mapping:
Intent: "See a list of open ports"
Command: "ss -tulnp"
Which I remember mnmemotecnically because it is close to -tulip. This is similar to ps -aux in that the command includes a set of options and I remember it mnemotecnically ("auxiliary" or "auxilio"), and I use the options even when I don't need them, modifying the options from that baseline if needed, like removing "a" to get just the current user's processes.
That said. I don't know if the future is going to be "better" alternatives to old tools, but rather deconstructing or making use of the concept of "binary":"command", running man and --help has never been an optimal solution, and let's be honest, kids nowadays are googling, stackoverflowing and chatgpting their intent in order to get a magical command.
No easy way to improve upon this at the userspace level, the OS model of delegating control to binaries based on a hierarchical command structure is sensible, and "magic", or sharing commands across binaries without a clear ruleset would be too opaque. But I feel that creating new tools while barely revolutionizing the way they work is too small an incremental change, it adds more noise, I'm not sure that ss2 or network-manager instead of wpa_supplicant is a better outcome, now you are just linearly increasing the cognitive demand of new sysadmins linearly with time.
I always wondered how useful such tools are against a competent adversary. If you are a competent engineer designing malware, wouldn't you introduce a dormancy period into your malware executable and if possible only talk to C&C while the user is doing something that talks to other endpoints? Maybe even choose the communication protocol based on what the user is doing to blend in even better.
At the very least, these tools should not parse /proc to obtain information of processes or connections. It should be the last option.
Many LD_PRELOAD rootkits hide their activity from the system by manipulating the output of libc functions like readdir(), open(), stat(), etc.
kernel rootkits can hide whatever they need, but the common functionality is also to hide data from /proc.
That's why netstat, ps, *top or lsof are not reliable tools if the system is compromised. ss is a bit different and is a bit more reliable.
In this case, snitch is written in Go, which doesn't use the libc functions, so probably it'll be able to obtain information from /proc even if hidden by a LD_PRELOAD rootkit.
Another option would be to compile the binary statically.
Anyways, these tools are not meant to unhide malicious traffic or processes, so I think detecting beacons, inspecting traffic, etc, is out of the scope.
In any case, interesting to think of shared libraries (specifically shared libc) as a risk here. Makes sense, but I hadn't thought about it before.
That said, I'm having a hard time doing a threat model where you worry about an attacker only setting LD_PRELOAD but not modifying PATH. The latter is more general and can screw you with all programs (doesn't cover shell builtins, but it's not like those would just be one more step).
agreed on the limits. snitch isnt aimed at adversarial detection; its a local debugging/inspection tool. a competent attacker can blend in by design, so this isnt meant to be a standalone security control
Tools like these aren't really intended for adversarial environments, and pure network tools that are designed for real adversaries have a really spotty track record (good search: [bro vantage point problem]).
> The “SH” state indicates that the remote peer sent a SYN followed by a FIN—however, the monitor never recorded a SYN-ACK from the local peer. At first glance, this would seem to indicate a scanner that is trying to make connection attempts look
as real as possible in the hopes of not triggering an alarm. However, such connections can also indicate a vantage point problem whereby the monitor is not observing outgoing traffic from some hosts. While in general the monitor placement at LBNL can observe both incoming and outgoing traffic, there were periods of time where the traffic for some LBNL hosts would partially bypass the monitor. From a measurement perspective this is clearly undesirable.
Before systemd presented a generalised interface, there were significant differences in the init and service management systems between the popular Red Hat and Debian families of distros.
Those additional programs can be freely chosen by distros and/or users. So each of them has to stand on their merit. Though of course they do get some built-in credibility by coming from the systemd project. But for the most part, I think systemd software just tends to have competitive offerings with nice interfaces.
Like, ss without any options shows such arcane, rarely needed details as send/receive queue size but not the application socket belongs to.
And omits listening sockets which is main use for such tools.
I know picking the right defaults is hard ask but they managed to pick all the wrong defaults.
Generally speaking, you can only have sensible defaults over time if you're able to change the defaults over time. New users and new use-cases come with time, and so what constitutes a "sensible default" changes.
However (and this is a drum I like to bang[0]), because unix tools only deal in usually-text bytestreams without any higher level of abstraction, consumers of those tools end up tightly coupled with how output is presented. Without any separation between data and its representation, the (default) representation is the tool's API. To change the default representation is to make a backwards-incompatible API change. A good example of this is how ps aux truncates longer than like 7 characters.
[0] https://www.cgl.sh/blog/posts/sh.html
I think we understand that UX problem much better now than developers did back in the 70s. In general, not just for ss/lsof
Being able to use them intuitively trumps ubiquity, speed or features.
Another annoying part is not supporting json or even CSV. Some tools got modernized with it (like iproute2 tool set), but for these you might as well do /proc scraping yourself...
The only one I change is to add `--no-ignore`.
If used in scripts, ubiquity and speed can be important. Then again, the output of ss is not ideal for script processing.
Might need a different name.
https://www.obdev.at/products/littlesnitch/index.html
(With help from Claude completing the list)
2. Windows → https://www.glasswire.com/
3. Windows (open source) → https://github.com/henrypp/simplewall
4. Windows → https://safing.io/
- the author of LuLu is a security researcher; he also wrote "The Art of Mac Malware"
- I already bought two versions of Little Snitch and wasn't willing to pay for the third one
- contacting their support left a bitter aftertaste
Textual or similar for a top-like mode would be cool someday
scripts/lsof.sh does lsof from /proc/*: https://github.com/westurner/dotfiles/blob/develop/scripts/l...
They should call it "rat" and be done with it.
Besides, "snitch" works for Little Snitch -- I've always found it somehow endearing, although the bare word is unflattering.
`brew install snitch`
UI libraries have a lot of features for allowing people with disabilities to “read” and interact with the screen in efficient ways
GUI apps are much trickier. They require that the developer implement integration with accessibility frameworks (which vary depending on X11/Wayland) or use a toolkit which does this.
TUIs are tricky.
I think TUI accessibility generally involves rereading the screen on changes (going by macOS VoiceOver). It can optimize this if you use the terminal cursor (move it with ansi sequences) or use simple line-based output, but pretty much zero TUIs do this. You'd have to put a lot of thought into making your TUI screenreader friendly compared to a GUI.
The thing going for you when you build a TUI is that people are used to bad accessibility so they don't expect you to solve the ecosystem. Kind of like how international keyboards don't work in terminal apps because terminal emulator doesn't send raw key scans.
When it comes to GUIs, you have a higher level of abstraction than grid-of-glyphs. By using a GUI toolkit with these abstractions, you can get accessibility (relatively) for free.
Open to having my mind changed though.
Imagine if everything around us would be designed for blind people.
The idea is to design for all (or as many as feasible), it's not a binary either/or.
Additionally in sysadmin, blind-users are not just some random group, the ability not to use one's eyes is central to the Command Line Interface. You could always in theory get by with just a keyboard and a TTS that reads out the output, it's all based on the STDIO abstractions that are just string streams, completely compatible and accessible to blind, and even deaf users. (Unlike GUIs)
Is it possible I've missed something from the demonstration video on that page?
For example:
Intent: "create a file"
Command: "touch $FILE"
As it happens, touching a file doesn't mean to create, it was supposed to touch to modify the last access date, like a null op. But now if you want to create a file you do that.
Intent: "Print a file contents to screen" Command: "cat $FILE"
Is this a reference to a feline? some slang for printing or reading? No it's short for concatenate, but if you pass just one argument instead of 2, it prints the concatenation of 1 file and nothing.
Even something as simple as
Intent: "Rename a file" Command: "mv $FILE"
Of ocurse there's the fact that moving a file and renaming the file are very similar if not identical in most FS/OS, but also, the slight change from a word to a proper-name style command already creates a style of command line interaction that was very natural in the 80s, but is now being reinvented with the advent of more powerful language decoding technology. So even:
Intent: "Copy a file" Command: "cp $FILE"
Now to the topic, you can see how my relationship with ss is the mapping:
Intent: "See a list of open ports" Command: "ss -tulnp"
Which I remember mnmemotecnically because it is close to -tulip. This is similar to ps -aux in that the command includes a set of options and I remember it mnemotecnically ("auxiliary" or "auxilio"), and I use the options even when I don't need them, modifying the options from that baseline if needed, like removing "a" to get just the current user's processes.
That said. I don't know if the future is going to be "better" alternatives to old tools, but rather deconstructing or making use of the concept of "binary":"command", running man and --help has never been an optimal solution, and let's be honest, kids nowadays are googling, stackoverflowing and chatgpting their intent in order to get a magical command.
No easy way to improve upon this at the userspace level, the OS model of delegating control to binaries based on a hierarchical command structure is sensible, and "magic", or sharing commands across binaries without a clear ruleset would be too opaque. But I feel that creating new tools while barely revolutionizing the way they work is too small an incremental change, it adds more noise, I'm not sure that ss2 or network-manager instead of wpa_supplicant is a better outcome, now you are just linearly increasing the cognitive demand of new sysadmins linearly with time.
Sorry to be a bummer.
Many LD_PRELOAD rootkits hide their activity from the system by manipulating the output of libc functions like readdir(), open(), stat(), etc. kernel rootkits can hide whatever they need, but the common functionality is also to hide data from /proc.
That's why netstat, ps, *top or lsof are not reliable tools if the system is compromised. ss is a bit different and is a bit more reliable.
In this case, snitch is written in Go, which doesn't use the libc functions, so probably it'll be able to obtain information from /proc even if hidden by a LD_PRELOAD rootkit.
Another option would be to compile the binary statically.
Anyways, these tools are not meant to unhide malicious traffic or processes, so I think detecting beacons, inspecting traffic, etc, is out of the scope.
Resources:
https://github.com/gustavo-iniguez-goya/decloaker
User-space library rootkits revisited: Are user-space detection mechanisms futile? - https://arxiv.org html/2506.07827v1
The Hidden Threat: Analysis of Linux Rootkit Techniques and Limitations of Current Detection Tools - https://dl.acm.org/doi/10.1145/3688808
https://matheuzsecurity.github.io/hacking/bypass-userland-ho...
https://ops.tips/blog/how-is-proc-able-to-list-pids/
In any case, interesting to think of shared libraries (specifically shared libc) as a risk here. Makes sense, but I hadn't thought about it before.
That said, I'm having a hard time doing a threat model where you worry about an attacker only setting LD_PRELOAD but not modifying PATH. The latter is more general and can screw you with all programs (doesn't cover shell builtins, but it's not like those would just be one more step).
Just my two snitches.
https://www.icir.org/mallman/pubs/APT07/APT07.pdf
> The “SH” state indicates that the remote peer sent a SYN followed by a FIN—however, the monitor never recorded a SYN-ACK from the local peer. At first glance, this would seem to indicate a scanner that is trying to make connection attempts look as real as possible in the hopes of not triggering an alarm. However, such connections can also indicate a vantage point problem whereby the monitor is not observing outgoing traffic from some hosts. While in general the monitor placement at LBNL can observe both incoming and outgoing traffic, there were periods of time where the traffic for some LBNL hosts would partially bypass the monitor. From a measurement perspective this is clearly undesirable.
1. Can you highlight the currently selected row with a different background?
2. Maybe add optional reverse DNS lookups?
Thanks for sharing
Systemd's obsession with remaking every single wheel in Linux has been aggravating enough. Please don't do it again.
Before systemd presented a generalised interface, there were significant differences in the init and service management systems between the popular Red Hat and Debian families of distros.