🌐 このページは日本語でもご覧いただけます。 日本語で読む →

EgressView

Where Is Data Exiting? Map All Paths. — Know what every device on your home or SOHO network is actually connecting to. Graph Map and Statistics for the overview; Connection Log and Devices for drill-down investigation. Automatic threat detection and Slack alerts. Ask AWS Kiro, Anthropic Claude, Anysphere Cursor, or another MCP-capable assistant about your network via the built-in MCP server.

License: AGPL-3.0 Node.js 22+
Source Code Issues README

🔒 For Home / SOHO Security

Modern home and SOHO networks run 20–40 devices — smart TVs, IP cameras, NAS drives, Wi-Fi speakers, IoT appliances, and more. Many of these devices have minimal security hygiene and unknown outbound behaviors. Any of them can be silently compromised.

Passive, Zero-Impact

Reads the router's NAT session table over SSH — no inline traffic interception, no throughput penalty, no latency added to your network.

Per-Device Visibility

See exactly which IoT device or PC made which outbound connection. Device identity resolved via OUI, mDNS, SSDP, NetBIOS, and Apple model dictionary.

Automatic Threat Detection

Every connection checked in real time against Feodo Tracker, ThreatFox, URLhaus, and Spamhaus DROP. Flags C2 servers, botnets, and malware distribution hosts.

Instant Alerts

Slack DM the moment any device on your network connects to a known threat. Configurable cooldown per destination — no notification spam.

No Hardware Changes

Works with your existing Yamaha RTX router. Install on any Mac, PC, or Raspberry Pi on your LAN — nothing inline, nothing between your router and the internet.

Fully Local & Private

All processing runs on your machine. No traffic data is sent to the cloud. Enrichment lookups (GeoIP, RDAP, reverse DNS) use only destination IPs.

Features

Overview + Drill-down Workflow

Graph Map and Statistics show the whole network at a glance. Connection Log and Devices let you pivot into sessions, destinations, notes, and device history.

Yamaha RTX Integration

SSH into your Yamaha RTX router and read NAT session tables every 60 seconds. [INSPECT] syslog fills in short-lived TCP sessions missed between polls. Supports RTX1200–RTX1300, RTX810/830.

ASUS WiFi AP Support

Get L2 client details — WiFi band, signal strength, traffic rates, and AiMesh topology from your ASUS access point.

Smart Device ID

Identify devices via OUI, mDNS/Bonjour, SSDP, NetBIOS, and an Apple model dictionary (200+ models down to "iPhone 15 Pro").

📡 DNS-Based Destination Names

Tails a local dnsmasq query log to map destination IPs to meaningful domain names per device (e.g. example.com). Forward DNS takes priority over PTR reverse lookups.

IP Enrichment

Automatic reverse DNS, RDAP organization lookup, and GeoIP (city-level latitude/longitude) for every destination.

Connection History (SQLite)

Persistent connection history in SQLite (WAL mode, crash-safe) with configurable retention up to 2 years, time-series charts, and per-destination statistics.

🛡️ Threat Detection

Matches all connections against Feodo Tracker, ThreatFox, URLhaus, and Spamhaus DROP. Three confidence levels with actionable guidance.

🔔 Slack Notifications

Instant Slack DM when a threat is detected. Configurable cooldown per destination. Message language follows the UI language setting.

📋 Connection Log

Sortable, searchable table of all sessions. Per-column filters (text, regex, date range). Threat rows highlighted with click-to-detail popup. App column infers the service name from port and destination hostname (APNs, FCM, AirPlay, QUIC, iCloud, YouTube, AWS, Slack, Zoom, Tuya Smart, and more).

🔔 Detection Log

Persistent history of all threat detections and new-device alerts. Per-column filter, sort, and click-to-detail popup. Logged regardless of Slack configuration — always available for review.

🤖 AI Agent Access (MCP)

Built-in Model Context Protocol server exposes 11 tools — traffic summary, threat connections, top destinations, device list, device notes, and more — to AI assistants such as AWS Kiro, Anthropic Claude, and Anysphere Cursor. Supports stdio and HTTP transport. Setup guide →

Demo

UI language: English / Japanese selectable

Graph Map and Statistics give you the network-wide overview: device/destination patterns, session trends, and noisy endpoints — all updating in real time.

Connection Log and Devices let you drill down into suspicious destinations, noisy devices, beacon candidates, notes, and device history.

Screenshots

EgressView Graph Map overview for LAN devices and destinations EgressView Statistics view with connection history charts EgressView Connection Log drill-down workflow EgressView Devices drill-down workflow EgressView Detection Log detail popup

Architecture

┌─────────────────┐  SSH(NAT)   ┌──────────────────────┐
│  Yamaha RTX     │◄───────────►│                      │  WebSocket   ┌──────────────────┐
│  [INSPECT] log  │  syslog/UDP │   EgressView Server  │◄────────────►│ Browser          │
│  [DHCPD] log    │────────────►│   (Node.js)          │  MCP         ├──────────────────┤
└─────────────────┘             │                      │◄────────────►│ AI Assistant     │
┌─────────────────┐  HTTP       │  Pollers:            │  stdio/HTTP  │ (Kiro, Claude…)  │
│  ASUS WiFi AP   │◄───────────►│  • yamaha (SSH)      │              └──────────────────┘
│  (Client list)  │             │  • asus (HTTP)       │
└─────────────────┘             │  • inspect-syslog    │
┌─────────────────┐  tail -F    │  • dhcpd-syslog      │
│  dnsmasq        │────────────►│  • dnsmasq-log       │
│  query log      │             └──────────┬───────────┘
└─────────────────┘                        │
                       ┌───────────────────┼───────────────┐
                       │                   │               │
                 ┌─────┴─────┐  ┌─────────┴───┐  ┌───────┴───┐
                 │ Enrichment│  │ Threat Intel │  │  SQLite   │
                 │ • dnsmasq │  │ • Feodo      │  │  History  │
                 │ • Rev DNS │  │ • ThreatFox  │  │  (WAL)    │
                 │ • RDAP    │  │ • URLhaus    │  └───────────┘
                 │ • GeoIP   │  │ • DROP       │
                 │ • OUI     │  └─────────────┘
                 │ • mDNS    │
                 └───────────┘

Quick Start

Step 1 — Prerequisites

Node.js 22+ on your Mac / PC / Raspberry Pi nodejs.org →
Yamaha RTX router — SSH access enabled Setup guide →
(Optional) ASUS WiFi AP — web admin enabled Setup guide →
(Optional) AI assistant access via MCP (AWS Kiro, Anthropic Claude, Anysphere Cursor…) Setup guide →

Step 2 — Install and launch

git clone https://github.com/yo1t/egressview.git
cd egressview
npm install
npm start

Step 3 — Open the browser and log in

On first startup the initial login password is printed to the console:

══════════════════════════════════════
  EgressView login password (initial):
  KFpDqntYRfcr...
  → Log in with this password on first access
══════════════════════════════════════

Open http://localhost:3000 and enter the password.

Step 4 — Configure your router in Settings (⚙)

Yamaha RTX IP LAN IP of your router (e.g. 192.168.1.1)
SSH username / password Set up in the Yamaha guide
ASUS AP IP / password AP's LAN IP and admin password (ASUS guide)

For Yamaha RTX, click Connect & Auto-detect after entering the IP, username, and password. EgressView verifies SSH access, detects the NAT descriptor, checks LAN IP and NAT sessions, then fills the recommended settings before you save.

Devices, sessions, and statistics will start appearing in the UI within a few seconds.

Supported Hardware

Yamaha RTX (L3/L4)

RTX1200, RTX1210, RTX1220, RTX1300, RTX810, RTX830, NVR500, NVR510, NVR700W — any model with SSH + NAT descriptor.

ASUS WiFi AP (L2)

RT-AX series, RT-AC series, ZenWiFi (AiMesh) — any model with standard web admin, used in AP/mesh mode.

Issues & Feedback

Found a bug or have a feature request? Open an issue on GitHub.

View All Issues New Issue