Snitch – A friendlier ss/netstat

Posted by karol-broda 12/23/2025

Snitch – A friendlier ss/netstat(github.com)

341 points | 103 comments

PunchyHamster 12/23/2025|

it's weird that both lsof and ss defaults are so awful

Like, ss without any options shows such arcane, rarely needed details as send/receive queue size but not the application socket belongs to.

And omits listening sockets which is main use for such tools.

I know picking the right defaults is hard ask but they managed to pick all the wrong defaults.

jcgl 12/23/2025||

Completely agreed. Not sure what the historical reasons for lsof and ss are, but unix tools are structurally in a hard place when it comes to having sensible defaults over the long term.

Generally speaking, you can only have sensible defaults over time if you're able to change the defaults over time. New users and new use-cases come with time, and so what constitutes a "sensible default" changes.

However (and this is a drum I like to bang[0]), because unix tools only deal in usually-text bytestreams without any higher level of abstraction, consumers of those tools end up tightly coupled with how output is presented. Without any separation between data and its representation, the (default) representation is the tool's API. To change the default representation is to make a backwards-incompatible API change. A good example of this is how ps aux truncates longer than like 7 characters.

[0] https://www.cgl.sh/blog/posts/sh.html

ycombiredd 12/23/2025|||

Hah yes, I've come to unashamedly - by muscle memory since the 1990's - find myself always typing 'ps auxw[w...]', where [w...] is some arbitrary number of w's depending on how heavy my index finger feels at the moment of typing.

jiveturkey 12/23/2025|||

> change the defaults over time

however this breaks backward compatibility, as you noted. in the golden age of unix it was critical to maintain backward compatibility so that local tooling didn't magically break.

HP-UX seems to have an env var UNIX95 that affects XPG4 compliance in operation/output. Solaris always had a /usr/xpg[46] path (and /usr/ucb). GNU tools have POSIXLY_CORRECT. and so on.

I never liked using any of those because then you're on some other system, or in a break glass situation, and none of the tooling works as you expect. In the today world of a near monoculture of linux, it's fine I guess. And there's no reason today that complex commands like `ss` shouldn't be controllable via env var.

love your blog, thanks for the link.

jcgl 12/23/2025||

> love your blog, thanks for the link.

Thank you!

Configuring configuration via env var is a good historical example. I think that especially works nicely when you Buy An Operating System. You know, one that is created and provided by A Vendor. In principle, the vendor can architect a unified metaconfiguration system, e.g. one or several env vars that align behavior to a standard.

But I dunno if it would work so well to to hypothetically apply that tactic to a modern bazaar-based OS like Linux. Distros do amazing, valuable work to unify things, but modern Linux is basically a zillion software packages in a trench coat. So either the distro carries a zillion patches to have a few env vars, or the distro carries no patches and there are a zillion env vars. Either way, total cost of maintenance explodes.

Maybe when people say "text is the universal interface," they really mean that once you've released a textual interface, the interface becomes universal, unchanging for all time.

1vuio0pswjnm7 12/25/2025|||

"Like, ss without any options shows such arcane, rarely needed details as send/receive queue size but not the application socket belongs to.

And omits listening sockets which is main use for such tools."

IMHO this would be one of the many arguments in favor of compiling from source rather than using "binary packages"^1

https://mirrors.edge.kernel.org/pub/linux/utils/net/iproute2...

   (
   printf '/int state_filter = 0;/a\\\n'
   printf 'state_filter = (1 << SS_LISTEN) | (1 << SS_CLOSE);\\\n'
   printf 'show_processes++;\\\n'
   printf 'show_queues = 0;\\\n'
   echo
   echo "s/dhalBet/q&/"
   printf '/switch (ch) {/a\\\n'
   printf "case 'q':show_queues=1;break;\\\n"
   echo
   )|sed -i -f/dev/stdin misc/ss.c

This changes the default to display all sockets, hide the queues and show the processes using each socket

It also adds adds a -q option to display the queues

1. IMHO this is also an argument against "cloud computing", i.e., using someone else's computers where pre-installed kernels and binary packages are the norm

laserbeam 12/23/2025|||

> I know picking the right defaults is hard

I think we understand that UX problem much better now than developers did back in the 70s. In general, not just for ss/lsof

petepete 12/23/2025|||

I think the same applies for many of the new breed of command line applications like fd and ag/rg.

Being able to use them intuitively trumps ubiquity, speed or features.

PunchyHamster 12/23/2025|||

But it's not tradeoff! You can make default view useful without trading versatility.

Another annoying part is not supporting json or even CSV. Some tools got modernized with it (like iproute2 tool set), but for these you might as well do /proc scraping yourself...

sureglymop 12/23/2025|||

That's true in general. But default view is still subjective. The challenge probably lies in recognizing the larges subset of your user base that would like it to be a certain consistent way.

yencabulator 12/26/2025|||

ss is from the same batch of modernization as iproute2.

mr_mitm 12/23/2025||||

Depends on the use case.

If used in scripts, ubiquity and speed can be important. Then again, the output of ss is not ideal for script processing.

PunchyHamster 12/23/2025||

That's the problem, it's not good for humans, it's not great for scripts

fn-mote 12/23/2025|||

Very curious what is wrong about the rg defaults.

The only one I change is to add `--no-ignore`.

petepete 12/25/2025||

Nothing.

fd, rg and ag all work how I expect them to work and the arguments and order fit in with my expectations for modern cli applications.

They're recursive, they ignore things I don't care about and I can just give them the string I'm looking for, no path, no -name or --recursive etc.

find and grep do similar things but work entirely differently and their args aren't even in the same format.

ectospheno 12/23/2025||

Don’t “netstat -utan” and “ss -utan” show basically the same thing?

mzi 12/23/2025||

"utan" means "without" in Swedish, so I use the more flowery "-tulpan" as my mnemonic. It means tulip.

mikeryan 12/23/2025||

When I saw this headline I assumed it was Little Snitch an existing network monitor and firewall for Macs.

Might need a different name.

https://www.obdev.at/products/littlesnitch/index.html

wkat4242 12/23/2025||

There's also a Linux clone of little snitch, OpenSnitch.

zormal 12/23/2025||

There's also https://github.com/snitch-org/snitch with the AUR package name 'snitch'.

stressback 12/23/2025|||

Seems like a fine name. Why would little snitch existing necessitate a name change?

charcircuit 12/23/2025||

Because it's potentially trademark infringement because it could confuse people.

consp 12/23/2025|||

Can you actually trademark a common word? (Serious question)

janzer 12/23/2025|||

Yes, Apple, Windows, Amazon, Shell, Target, Dove, Ivory, Tide, Polo.

(With help from Claude completing the list)

satiated_grue 12/23/2025||

Remember the trademark fights between Apple Music (Beatles) and Apple Computer? Interesting history.

kalleboo 12/23/2025||

Sosumi!

Angostura 12/23/2025|||

Yes, but only for a fair tight class of business

cretinoid 12/23/2025|||

Exactly right.

karol-broda 12/23/2025|||

i am not sure if this would need a different name, you may just have this association because you are using little snitch, but they have completely different use-cases. for now this will just be a way to display ss/netstat data in the terminal in a nice way

mrjay42 12/23/2025|||

Wow that's so nice, would there be an equivalent for PC? (Windows or Linux)

guessmyname 12/23/2025|||

1. Linux → https://github.com/evilsocket/opensnitch

2. Windows → https://www.glasswire.com/

3. Windows (open source) → https://github.com/henrypp/simplewall

4. Windows → https://safing.io/

hwj 12/23/2025|||

I've been a long time Litte Snitch user. However, these days I'm just using LuLu: https://objective-see.org/products/lulu.html

teruakohatu 12/23/2025||

Why did you switch? Price? OSS? Or does LuLu have compelling features?

hwj 12/23/2025||

It's a mix of everything (in no particular order):

- the author of LuLu is a security researcher; he also wrote "The Art of Mac Malware"

- I already bought two versions of Little Snitch and wasn't willing to pay for the third one

- contacting their support left a bitter aftertaste

teruakohatu 12/24/2025||

> - I already bought two versions of Little Snitch and wasn't willing to pay for the third one

I have probably also paid for three versions. It’s a great piece of software and they do not require upgrades excessively.

But I will try LuLu. I would rather my security software was OSS.

mrjay42 12/23/2025|||

Thank you <3

westurner 12/23/2025|||

dotfiles/scripts/netstatpsutil.py: https://github.com/westurner/dotfiles/blob/develop/scripts/n...

Textual or similar for a top-like mode would be cool someday

scripts/lsof.sh does lsof from /proc/*: https://github.com/westurner/dotfiles/blob/develop/scripts/l...

cretinoid 12/23/2025||

I immediately thought of that too. The names these people come up with are so embarrassing. And I'm not even talking about the meaning of 'snitch'. But you already have a tool within the same IT area that is basically named the same. Why the hell would you do that? Aren't there other words in the dictionary?

inejge 12/23/2025|||

> The names these people come up with are so embarrassing. And I'm not even talking about the meaning of 'snitch'.

They should call it "rat" and be done with it.

Besides, "snitch" works for Little Snitch -- I've always found it somehow endearing, although the bare word is unflattering.

cretinoid 12/23/2025||

[dead]

monster_truck 12/23/2025|||

It's not even a friendly word

fulafel 12/23/2025||

The demo recording-as-code seems cool (in https://github.com/karol-broda/snitch/tree/master/demo)

karol-broda 12/23/2025|

thanks :), havent really seen this much in other projects

aos 12/23/2025||

I love the recent increase in TUI-based tooling. This looks cool - will check it out!

mabedan 12/23/2025|

Are they as accessible as GUI though (genuine question)

UI libraries have a lot of features for allowing people with disabilities to “read” and interact with the screen in efficient ways

WhyNotHugo 12/23/2025|||

TUI tools are generally as accessible as the terminal on which they run.

GUI apps are much trickier. They require that the developer implement integration with accessibility frameworks (which vary depending on X11/Wayland) or use a toolkit which does this.

hombre_fatal 12/23/2025|||

GUI kits like AppKit or GTK have built-in accessibility features like standard components (input fields, dropdown boxes) and view hierarchy that interact with accessibility tools for free. It's the main upside of a GUI.

TUIs are tricky.

I think TUI accessibility generally involves rereading the screen on changes (going by macOS VoiceOver). It can optimize this if you use the terminal cursor (move it with ansi sequences) or use simple line-based output, but pretty much zero TUIs do this. You'd have to put a lot of thought into making your TUI screenreader friendly compared to a GUI.

The thing going for you when you build a TUI is that people are used to bad accessibility so they don't expect you to solve the ecosystem. Kind of like how international keyboards don't work in terminal apps because terminal emulator doesn't send raw key scans.

jcgl 12/23/2025|||

How are TUI tools just as accessible as the terminal? Take a visually-simple program like neomutt or vim. How does a vision-impaired user understand the TUI's layout? E.g. splits and statusbar in vim, or the q:Quit d:Del... labels at the top of neomutt. It seems to me like the TUI, because it only provides the abstraction of raw glyphs, any accessibility is built on hopes and dreams. More complicated TUIs like htop or glances seem like they would be utterly hopeless.

When it comes to GUIs, you have a higher level of abstraction than grid-of-glyphs. By using a GUI toolkit with these abstractions, you can get accessibility (relatively) for free.

Open to having my mind changed though.

4gotunameagain 12/23/2025|||

Accessibility is a great thing to have and strive for, but it cannot be the number one design principle.

Imagine if everything around us would be designed for blind people.

austinjp 12/23/2025|||

I suspect blind people imagine that a lot.

The idea is to design for all (or as many as feasible), it's not a binary either/or.

4gotunameagain 12/23/2025||

You cannot design a lot of TUI for all. Should we abandon TUI entirely ?

TZubiri 12/23/2025|||

Not necessarily designed for, but accessible to.

Additionally in sysadmin, blind-users are not just some random group, the ability not to use one's eyes is central to the Command Line Interface. You could always in theory get by with just a keyboard and a TTS that reads out the output, it's all based on the STDIO abstractions that are just string streams, completely compatible and accessible to blind, and even deaf users. (Unlike GUIs)

themafia 12/23/2025||

It looks nice, and I don't see anything wrong with it, but I've been using iptraf-ng since forever and I think it has a slight edge here.

Is it possible I've missed something from the demonstration video on that page?

karol-broda 12/23/2025|

thanks! snitch is closer to an ss/netstat replacement (sockets + processes) than a traffic monitor. traffic monitoring is planned, but not implemented yet.

INTPenis 12/23/2025||

I've gotten used to ss now, and I quite like it, I just wish there was an option to not show the send/recv numbers. I never use them and the width is already so wide that the output barely fits into most terminals when you have them split vertically on a laptop screen.

That said though, I'm not going to install snitch. The thing about ss is that it's already there, on every server I manage. And I definitely do not need a TUI for this.

Snitch is something you might install in your homelab, or your workstations. But ss is still the default when you provision a lot of servers.

karol-broda 12/23/2025|

fair point. ss stays the default on servers because it is already installed. snitch is for workstation/homelab debugging when i want quicker filtering and selection. also, i do not show send/recv yet, but if i add it later it will be optional (compact mode / toggle) so it fits in split panes.

rramadass 12/23/2025||

An old classic powerful network tool; Netwox (i.e. Network Toolbox with more than 200 tools) and Netwag (Tcl/Tk GUI) - https://ntwox.sourceforge.net/ and https://ntwag.sourceforge.net/

Howto Guide - https://anto.online/mastering-netwag-guide/

karol-broda 12/23/2025|

this is supposed to be an actually maintained terminal utility for viewing ss/netstat data

rramadass 12/24/2025||

I was just pointing to another network tool used for all sorts of fine-grained networking jobs (eg. security testing and others) which might be helpful to others.

It was created by Laurent Constantin (https://linuxsecurity.com/features/introduction-to-netwox-an...) for his own needs and hence the TUI/GUI is not polished. But it is simple, direct and gets the job done which is what is important. And it is a mature tool (hence no need for active maintenance) available in all Linux distros.

poemxo 12/23/2025||

I don't like the name but I like the TUI, connection monitoring is perfectly handled by a TUI!

karol-broda 12/23/2025|

thanks, but what don’t you like about the name?

poemxo 12/26/2025||

Sorry for slow response. Snitch sounds like a tool that will do intercepting or alerting. Little Snitch is perfectly named in this regard. When it pops up prompting you for action, it feels like it just snitched on an app.

What you have here isn't a snitch, it's more like a full map of traffic. I don't have any other suggestions unfortunately.

Just my 2c

pdimitar 12/23/2025||

When attempting to install through go:

    go install github.com/karol-broda/snitch@latest

I get this error message:

    go: github.com/karol-broda/snitch@latest: version constraints conflict:
     github.com/karol-broda/snitch@v0.1.8: parsing go.mod:
     module declares its path as: snitch
             but was required as: github.com/karol-broda/snitch

Melonai 12/23/2025||

They declared their module with just their package name without a URL, it got fixed a few hours ago.

I find it a bit interesting that Go even allows you to declare `module barename` in go.mod even though it loves breaking so many things if you do so. I sometimes try doing it for completely private projects but I always just declare some URL in the end, it's a weird anti-pattern in my opinion.

PhilippGille 12/23/2025|||

They fixed it 6 hours ago, but it's not in a release yet: https://github.com/karol-broda/snitch/commit/7fdb1ed477894f1...

karol-broda 12/23/2025||

i fixed it and created a release so building from @latest should work now

reimuwu 12/23/2025|||

Would you consider vendoring dependencies? It would be helpful for offline builds, especially when writing packaging scripts :D

pdimitar 12/24/2025|||

It is indeed fixed now. Thank you!

coppsilgold 12/23/2025|

I always wondered how useful such tools are against a competent adversary. If you are a competent engineer designing malware, wouldn't you introduce a dormancy period into your malware executable and if possible only talk to C&C while the user is doing something that talks to other endpoints? Maybe even choose the communication protocol based on what the user is doing to blend in even better.

gus_ 12/23/2025||

At the very least, these tools should not parse /proc to obtain information of processes or connections. It should be the last option.

Many LD_PRELOAD rootkits hide their activity from the system by manipulating the output of libc functions like readdir(), open(), stat(), etc. kernel rootkits can hide whatever they need, but the common functionality is also to hide data from /proc.

That's why netstat, ps, *top or lsof are not reliable tools if the system is compromised. ss is a bit different and is a bit more reliable.

In this case, snitch is written in Go, which doesn't use the libc functions, so probably it'll be able to obtain information from /proc even if hidden by a LD_PRELOAD rootkit.

Another option would be to compile the binary statically.

Anyways, these tools are not meant to unhide malicious traffic or processes, so I think detecting beacons, inspecting traffic, etc, is out of the scope.

Resources:

https://github.com/gustavo-iniguez-goya/decloaker

User-space library rootkits revisited: Are user-space detection mechanisms futile? - https://arxiv.org html/2506.07827v1

The Hidden Threat: Analysis of Linux Rootkit Techniques and Limitations of Current Detection Tools - https://dl.acm.org/doi/10.1145/3688808

https://matheuzsecurity.github.io/hacking/bypass-userland-ho...

https://ops.tips/blog/how-is-proc-able-to-list-pids/

jcgl 12/23/2025||

What makes ss different?

In any case, interesting to think of shared libraries (specifically shared libc) as a risk here. Makes sense, but I hadn't thought about it before.

That said, I'm having a hard time doing a threat model where you worry about an attacker only setting LD_PRELOAD but not modifying PATH. The latter is more general and can screw you with all programs (doesn't cover shell builtins, but it's not like those would just be one more step).

gus_ 12/23/2025||

ss obtains the connections information via netlink directly from the kernel (besides parsing /proc):

https://manpages.debian.org/bookworm/manpages/sock_diag.7.en...

https://github.com/vishvananda/netlink/blob/main/inet_diag.g...

Not many rootkits tamper the netlink channel, so in most cases it's a bit more reliable.

matheuzsec 12/24/2025|||

Nowadays, there's only one rootkit that can hide itself so perfectly: the Singularity rootkit. It also hides from auditd by using netlink_unicast hooking and other evasive functionalities. Analyzing a machine compromised with Singularity loaded is a real headache, since it prevents memory dumps for analysis.

https://github.com/MatheuZSecurity/Singularity

jcgl 12/23/2025|||

Okay yeah, sure. So it's not intrinsically more reliable or anything, it's just not specifically vulnerable to LD_PRELOAD. And it's not clear to me why LD_PRELOAD would be a particularly interesting attack vector, but maybe that's just my ignorance.

karol-broda 12/23/2025|||

agreed on the limits. snitch isnt aimed at adversarial detection; its a local debugging/inspection tool. a competent attacker can blend in by design, so this isnt meant to be a standalone security control

ashtakeaway 12/23/2025||

With a name like Snitch, it should be aimed at adversarial detection.

Just my two snitches.

tptacek 12/23/2025||

Tools like these aren't really intended for adversarial environments, and pure network tools that are designed for real adversaries have a really spotty track record (good search: [bro vantage point problem]).

entrop 12/23/2025||

That search did not come up with much. Can you elaborate?

alwa 12/23/2025||

Not tptacek, but my search yielded this which seems relevant (to the network monitoring tool once named Bro, now Zeek):

https://www.icir.org/mallman/pubs/APT07/APT07.pdf

> The “SH” state indicates that the remote peer sent a SYN followed by a FIN—however, the monitor never recorded a SYN-ACK from the local peer. At first glance, this would seem to indicate a scanner that is trying to make connection attempts look as real as possible in the hopes of not triggering an alarm. However, such connections can also indicate a vantage point problem whereby the monitor is not observing outgoing traffic from some hosts. While in general the monitor placement at LBNL can observe both incoming and outgoing traffic, there were periods of time where the traffic for some LBNL hosts would partially bypass the monitor. From a measurement perspective this is clearly undesirable.

More comments...