Skip to content

jeffre/geobytes

BranchesTags

Repository files navigation

geobytes

Live terminal monitor showing bytes sent/received per remote IP address, with geolocation and reverse DNS.

geobytes — en0  [2026-03-30 14:23:01]  q to quit

  #     IP Address                                 Bytes          Location                          Hostname
  ---   ------------------------------------------  -------------  --------------------------------  --------
  1     142.250.80.46                               4.2 MB         Mountain View, US                 lax17s55-in-f14.1e100.net
  2     17.253.144.10                               1.1 MB         Cupertino, US                     ...
  3     104.18.30.67                                856.0 KB       US                                cloudflare.com
  4     192.168.1.1                                 12.3 KB        BOGON
  5     2607:f8b0:4005::200e                        4.1 KB         Mountain View, US                 lax17s56-in-x0e.1e100.net

Requirements

Installation

git clone <repo>
cd geobytes
go build -o geobytes .

GeoLite2 Database

geobytes requires a local copy of the MaxMind GeoLite2-City database. It is free but requires a MaxMind account.

  1. Sign up at maxmind.com
  2. Download GeoLite2-City.mmdb
  3. Place it in the directory where you run geobytes
geobytes/
├── geobytes          ← binary
└── GeoLite2-City.mmdb

Usage

sudo ./geobytes
Flag Description Example
-i Network interface (default: first non-loopback) -i en0
-f BPF filter expression -f "udp"

Examples

# Specific interface
sudo ./geobytes -i en0

# UDP traffic only
sudo ./geobytes -f "udp"

# HTTPS traffic only
sudo ./geobytes -f "tcp and port 443"

# DNS queries
sudo ./geobytes -f "udp and port 53"

# Exclude SSH
sudo ./geobytes -f "not port 22"

# Combine interface and filter
sudo ./geobytes -i en0 -f "tcp"

BPF filter syntax is the same as tcpdump. The filter runs in the kernel, so non-matching packets are never copied to userspace.

Display

Column Description
# Rank by bytes (highest first)
IP Address Remote IP (IPv4 or IPv6)
Bytes Combined sent + received (includes IP/transport headers)
Location City and country from GeoLite2. BOGON for private/reserved ranges
Hostname Reverse DNS (PTR record), resolved asynchronously and cached. ... while pending

The display refreshes every second. Press q or Ctrl+C to quit. Resize the terminal to show more rows.

Running Tests

# Unit tests (no network required)
go test -short ./...

# All tests including network-dependent DNS resolution tests
go test ./...

How It Works

  • Capturegopacket + libpcap captures packets on the selected interface. For each packet, the remote IP (non-local side) is identified and its byte count is incremented.
  • Geolocation — looked up once per IP against the local GeoLite2-City database and cached indefinitely.
  • Reverse DNSnet.LookupAddr with a 2s timeout, fired in a background goroutine on first encounter and cached.
  • BOGON detection — private, loopback, link-local, CGNAT, multicast, and reserved ranges are identified before any GeoLite2 or DNS lookup and labeled BOGON.
  • TUIBubble Tea handles rendering, terminal resize events, and clean alt-screen management.

About

Locate your connections

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages