Netiquette

In today's connected world, it is rare to find an application or piece of malware that doesn't talk to a remote server.
Netiquette is a network monitor that allows one to explore all network sockets and connections, either via an interactive UI, or from the commandline.
Supported OS: macOS 10.10+
Current version: 1.2.0 (change log)
Zip's SHA-1: D3D38D1E09138DB50FB38F41C14C7C0971D6F3D8
Source Code: Netiquette


Special mahalo to Jonathan Levin for inspiring the creation of this tool! 🙏


Netiquette, is a lightweight open-source network monitor designed exclusively for macOS.

Via its simple intuitive UI, you can quickly:
  • view all network connections

  • uncover any listening sockets

  • filter and export network events
To use Netiquette, simply download the zip archive containing the application. Depending on your browser, you may need to manually unzip the application by double-clicking on the zipped archive.

As there is nothing to install, simply double-click on 'Netiquette.app' to launch the network monitor.



When launched, Netiquette will display all active network connections and sockets. By default, it will auto-refresh every few seconds (to ensure up-to-date network information is continually displayed). Also, networking information belonging to Apple processes, by default is not shown. Both these options can be toggled off and on via check boxes in the UI:


There is also an input box, (top-right of the UI), that will filter displayed network connections. Filter on things such as process (name, path, pid) or network information (ip address, port, interface, state, etc). For example, type "Listen" to reveal all network sockets that are listening for (possibly) remote network connections:


Click the "save" icon (bottom left), to export the network connections to a JSON file:



The saved JSON contains detailed information about processes (pid, path, signing information, etc), and their network connections or sockets. For example, here we see output related to netcat (/usr/bin/nc) listener on port 666:

[{
"process": {
	"pid": "5885",
	"path": "/usr/bin/nc",
	"signature(s)": {
		"signatureIdentifier": "com.apple.nc",
		"signatureStatus": 0,
		"signatureSigner": 1,
		"signatureEntitlements": {
			"com.apple.security.network.client": true,
			"com.apple.security.network.server": true
	},
	
	"signatureAuthorities": [
		"Software Signing", 
		"Apple Code Signing Certification Authority", 
		"Apple Root CA" ]
	}
},
"connections": [{
	"interface": "",
	"protocol": "TCP",
	"localAddress": "0.0.0.0",
	"localPort": "666",
	"remoteAddress": "0.0.0.0",
	"remotePort": "0",
	"remoteHostName": "n/a",
	"state": "Listen"
	}]
}]

Commandline Interface
Netiquette can also be run via the commandline, to list all active network connections.

Note:
This is similar to Apple's built-in nettop tool. However, Netiquette provides more comprehensive information such as:
  • full process path

  • connection filtering

  • code-signing information

  • detailed output in standard JSON

Execute the Netiquette binary (note: specify the full path to the Netiquette binary within its application bundle) with -h or -help to display information about the self-explanatory commandline options:
$ Netiquette.app/Contents/MacOS/Netiquette -h

NETIQUETTE USAGE:
 -h or -help  display this usage info
 -list        enumerate all network connections
 -names       resolve remote host names (via DNS)
 -pretty      JSON output is 'pretty-printed' for readability
 -skipApple   ignore connections that belong to Apple processes 

The -list commandline flag will generate a (JSON) list of all active network connections and sockets:
$ Netiquette.app/Contents/MacOS/Netiquette -list -pretty

[
  {
    "process" : {
      "pid" : "5885",
      "path" : "\/usr\/bin\/nc",
      "signature(s)" : {
        "signatureIdentifier" : "com.apple.nc",
        "signatureStatus" : 0,
        "signatureSigner" : 1,
        "signatureEntitlements" : {
          "com.apple.security.network.server" : true,
          "com.apple.security.network.client" : true
        },
        "signatureAuthorities" : [
          "Software Signing",
          "Apple Code Signing Certification Authority",
          "Apple Root CA"
        ]
      }
    },
    "connections" : [
      {
        "remoteHostName" : "n\/a",
        "protocol" : "TCP",
        "interface" : "",
        "localAddress" : "0.0.0.0",
        "state" : "Listen",
        "remotePort" : "0",
        "localPort" : "666",
        "remoteAddress" : "0.0.0.0"
      }
    ]
  }
  ...
]


Note:
To capture the output from Netiquette, (as it writes to STDOUT), simply pipe it to a file out of your choice:

$ ./Netiquette.app/Contents/MacOS/Netiquette -list > /path/to/some/file.json