tun2brook v20240101: see which application is creating TCP and UDP network connections

Updated at: 2023-12-16

Release Note

• Optimization: When exiting tun2brook, automatically restore the system DNS to its original state.
• New: See which program is creating TCP and UDP network connections.
• New: It also means that it is possible to use scripts to perform network control for specific applications.
• Tip: macOS, in Brook GUI and Shiliew App mode, appid is application bundle id

https://github.com/txthinking/tun2brook

Install via nami

nami install tun2brook

FUCK Windows Defender

Usage

run tun2brook

sudo tun2brook -l 'brook://...' --log /tmp/a.log

Windows open terminal as admin, and remove sudo

follow log

tail -f /tmp/a.log

create TCP connection

curl --http2 https://http3.ooo -v
curl --http2 -4 https://http3.ooo -v
curl --http2 -6 https://http3.ooo -v

create UDP connection

curl --http3-only https://http3.ooo -v
curl --http3-only -4 https://http3.ooo -v
curl --http3-only -6 https://http3.ooo -v

If your curl does not support HTTP3, see here

Linux, macOS log:

{"action":"PROXY","appid":"/Users/fuck/.nami/bin/curl","brooklink":"default","content":"137.184.237.95:443","iface":"","kind":"TCP","time":"2023-12-15T16:24:31+08:00"}
{"action":"PROXY","appid":"/Users/fuck/.nami/bin/curl","brooklink":"default","content":"[2604:a880:4:1d0::4cf:b000]:443","iface":"","kind":"TCP","time":"2023-12-15T16:25:29+08:00"}

{"action":"PROXY","appid":"/Users/fuck/.nami/bin/curl","brooklink":"default","content":"137.184.237.95:443","iface":"","kind":"UDP","time":"2023-12-15T16:21:41+08:00"}
{"action":"PROXY","appid":"/Users/fuck/.nami/bin/curl","brooklink":"default","content":"[2604:a880:4:1d0::4cf:b000]:443","iface":"","kind":"UDP","time":"2023-12-15T16:22:43+08:00"}

You can see /Users/fuck/.nami/bin/curl who is creating TCP and UDP connection

Windows log:

{"action":"PROXY","appid":"C:\\Users\\cloud\\.nami\\bin\\curl.exe","brooklink":"default","content":"137.184.237.95:443","iface":"","kind":"TCP","time":"2023-12-15T16:24:31+08:00"}
{"action":"PROXY","appid":"C:\\Users\\cloud\\.nami\\bin\\curl.exe","brooklink":"default","content":"[2604:a880:4:1d0::4cf:b000]:443","iface":"","kind":"TCP","time":"2023-12-15T16:25:29+08:00"}

{"action":"PROXY","appid":"C:\\Users\\cloud\\.nami\\bin\\curl.exe","brooklink":"default","content":"137.184.237.95:443","iface":"","kind":"UDP","time":"2023-12-15T16:21:41+08:00"}
{"action":"PROXY","appid":"C:\\Users\\cloud\\.nami\\bin\\curl.exe","brooklink":"default","content":"[2604:a880:4:1d0::4cf:b000]:443","iface":"","kind":"UDP","time":"2023-12-15T16:22:43+08:00"}

You can see C:\\Users\\cloud\\.nami\\bin\\curl.exe who is creating TCP and UDP connection

With FakeDNS

run tun2brook

sudo tun2brook -l 'brook://...' --log /tmp/a.log --fakeDNS --script ./a.tengo

Windows open terminal as admin, and remove sudo

text := import("text")

dnsquery_handler := func(m){
    if m.domain == "dns.google" {
        return {block: true}
    }
}

address_handler := func(m) {
    if m.ipaddress {
        if m.ipaddress == "8.8.8.8:853" || m.ipaddress == "8.8.8.8:443" || m.ipaddress == "8.8.4.4:853" || m.ipaddress == "8.8.4.4:443" || m.ipaddress == "[2001:4860:4860::8888]:853" || m.ipaddress == "[2001:4860:4860::8888]:443" || m.ipaddress == "[2001:4860:4860::8844]:853" || m.ipaddress == "[2001:4860:4860::8844]:443" {
            return { block: true }
        }
    }
    if m.domainaddress {
        if text.has_prefix(m.domainaddress, "dns.google:") {
            return { block: true }
        }
    }
}

handler := func(){
    if in_dnsquery {
        return dnsquery_handler(in_dnsquery)
    }
    if in_address {
        return address_handler(in_address)
    }
}

out := handler()

create TCP connection

curl --http2 https://http3.ooo -v

create UDP connection

curl --http3-only https://http3.ooo -v

Linux, macOS log:

{"action":"PROXY","appid":"/Users/fuck/.nami/bin/curl","brooklink":"default","content":"http3.ooo:443","iface":"","kind":"TCP","time":"2023-12-15T16:33:58+08:00"}

{"action":"PROXY","appid":"/Users/fuck/.nami/bin/curl","brooklink":"default","content":"http3.ooo:443","iface":"","kind":"UDP","time":"2023-12-15T16:34:39+08:00"}

Compared to before, you can see TCP and UDP domain address http3.ooo:443

Windows log:

{"action":"PROXY","appid":"C:\\Users\\cloud\\.nami\\bin\\curl.exe","brooklink":"default","content":"http3.ooo:443","iface":"","kind":"TCP","time":"2023-12-15T16:33:58+08:00"}

{"action":"PROXY","appid":"C:\\Users\\cloud\\.nami\\bin\\curl.exe","brooklink":"default","content":"http3.ooo:443","iface":"","kind":"UDP","time":"2023-12-15T16:34:39+08:00"}

Compared to before, you can see TCP and UDP domain address http3.ooo:443

Discuss