Bill Bumgarner

Little Snitch is a little tool that monitors outbound connections from your system and, unless it already has a rule in place to permit or deny the connection outright, pops up a panel letting you know that an app is requesting a connection.

For example, the screen shot above was triggered by the launch of SBook as the app contacts the mothership to determine if a new version is available. Interesting.

I wonder what it is sending as a part of the "am I the latest version?" query?

Now, if you happen to have tcpflow installed (via Fink or from source or from Fred's public iDisk), you can easily answer that question.

It is just a matter of copy/paste (before hitting the allow button):

% sudo tcpflow -c -i en1 'host ip-64-7-15-234.dsl.bos.megapath.net'
Password:
tcpflow[2703]: listening on en1
010.000.001.004.58896-064.007.015.234.00080: GET /build.txt?myversion=5.17 HTTP/1.0
User-Agent: CFNetwork/1.1
Host: www.sbook5.com
Connection: close


064.007.015.234.00080-010.000.001.004.58896: HTTP/1.1 200 OK
Date: Fri, 19 Mar 2004 05:46:42 GMT
Server: Apache/1.3.27 (Unix) mod_perl/1.27 PHP/4.3.4 mod_ssl/2.8.14 OpenSSL/0.9.7a
Last-Modified: Mon, 29 Dec 2003 03:34:19 GMT
ETag: "38747b-10-3fefa0bb"
Accept-Ranges: bytes
Content-Length: 16
Connection: close
Content-Type: text/plain

1072668795
5.18

(If you are on Ethernet, use 'en0' instead of 'en1'.)

As expected (Simson definitely understands security & privacy), SBook doesn't do anything nefarious. But what about the other apps on the system?

I don't know. With the Little Snitch active, I'm certainly going to be keeping a closer eye on things... (link fixed!)