diff --git a/README.md b/README.md index 3d905bf..72abc49 100644 --- a/README.md +++ b/README.md @@ -380,10 +380,14 @@ To use your own certificate: A dark-themed HTML page that auto-refreshes every 5 seconds. Sections: - **Stat cards** — total connections, connections in the last 60 seconds, uptime, ports mapped, and last connection time. -- **Top source IPs** — the 10 most active scanner addresses since startup. +- **Top source IPs** — the 10 most active scanner addresses since startup, each annotated with a two-letter country code fetched from the geo lookup service. - **Top targeted ports** — the 10 most-probed ports since startup. - **Banner lookup** — enter any port number (0–65535) and see the hex and text preview of the banner that port will send. The result persists across auto-refreshes when using the `?port=N` query parameter. -- **Recent connections** — the 50 most-recent connections, newest first, with timestamp, source, destination port, banner hex excerpt, and banner length. +- **Recent connections** — the 50 most-recent connections, newest first, with timestamp, source IP (with country code), destination port, and banner length. + +#### IP geolocation + +Country codes are resolved asynchronously on each dashboard render using `https://www.daprogs.com/ip/?raw=1&ip=`. Results are cached in memory for the lifetime of the process, so each IP is only looked up once. Private or unroutable addresses (e.g. `127.0.0.1`, `192.168.x.x`) that return no result are displayed without a country code — no crash, no placeholder. ### Banner lookup shortcut @@ -422,7 +426,7 @@ Current statistics snapshot. #### `GET /api/connections?limit=N` -The N most-recent connection events, newest first. `limit` defaults to 50, maximum 500. +The N most-recent connection events, newest first. `limit` defaults to 100, maximum 500. ```json [ @@ -431,7 +435,6 @@ The N most-recent connection events, newest first. `limit` defaults to 50, maxim "src_ip": "198.51.100.42", "src_port": 54312, "dst_port": 443, - "banner_hex": "485454502f312e31203230300d0a", "banner_len": 14 } ] @@ -608,7 +611,7 @@ Only traffic arriving on `eth1` is redirected. Traffic on other interfaces (e.g. # Poll stats every second watch -n1 'curl -su admin:changeme http://127.0.0.1:8080/api/stats | python3 -m json.tool' -# Tail recent connections +# Tail the 10 most recent connections watch -n2 'curl -su admin:changeme "http://127.0.0.1:8080/api/connections?limit=10" | python3 -m json.tool' ```