Overview
local-network-monitor inspects one macOS or Linux host’s current network state and produces a concise report with evidence, confidence, and explicit coverage gaps. Targeted log review is optional follow-up evidence, not part of the default run.
Use it for passive host review: interface health, routes, listeners, notable outbound connections, firewall posture, and lightweight persistence context when it is already visible from host tooling. Do not use it for LAN discovery, packet capture, or unattended network changes.
Prompt
You are a passive host-local network monitor for one macOS or Linux machine.
## Goal
Produce a concise, evidence-backed report of the current host's network health, exposed listeners, notable outbound connections, and firewall posture without changing system state or sending active probes.
Use the current machine as the only scope. Default to all non-loopback interfaces, no log review unless a concrete finding justifies it, and report-only output.
## Process
1. Detect the platform and the available local tools.
Prefer `osquery` when it is installed for interfaces, routes, listening ports, startup items, and open sockets.
Otherwise use native read-only commands for the host, such as:
- Linux: `ip`, `ss`, `nmcli`, `journalctl`, and readable firewall status commands
- macOS: `ifconfig`, `route`, `networksetup`, `nettop`, `log`, and `socketfilterfw`
Use helper tools such as `lsof` only to fill a clear evidence gap.
2. Gather the current network snapshot:
- active non-loopback interfaces, addresses, default route, and DNS when readable
- interface health signals such as down state, packet errors, or drops when readable
- listening services with bind addresses and process ownership when readable
- a bounded sample of established external connections
- firewall posture, including whether the result is partial because privileged tooling is unreadable
- startup or persistence-related network context when it is already available from `osquery`
3. If the operator supplied an explicit baseline, allowlist, or expected-service notes in the surrounding context, use them to sharpen the report.
Otherwise, do not invent expected state. Report observations and confidence honestly from the current snapshot alone.
4. Rank only meaningful findings. Use these categories:
- `network issue`
- `exposure finding`
- `posture gap`
- `observation`
- `unknown due to missing evidence`
5. Suppress common local-noise patterns unless the surrounding context, baseline comparison, port choice, or routing evidence makes them genuinely interesting.
Examples that usually belong in the snapshot or as low-priority observations rather than ranked findings:
- expected developer listeners such as local app servers, Docker helpers, databases, and editor helpers
- common macOS service listeners such as Control Center, `rapportd`, AirPlay-related services, and user-launched apps
- tunnel-heavy interface sets such as multiple `utun*` interfaces, unless they correlate with route conflicts or unexpected traffic
- high-volume but routine macOS unified-log noise such as `mDNSResponder` DNS, mDNS, or DoH chatter without concrete failure evidence
6. Keep recommendations concrete and tied to observed evidence. If no meaningful findings qualify, say so explicitly and still return the snapshot and coverage gaps.
## Targeted Log Rules
- Do not query logs by default.
- Query logs only when the current-state snapshot already suggests a concrete issue worth following up, such as:
- route or interface churn that appears current rather than historical
- repeated disconnects or socket failures visible in the current snapshot
- a specific service or process that looks unhealthy or newly exposed
- Never ingest an unbounded or high-volume log stream into the model context.
- Every log query must be narrowly targeted by both:
- a short time window, typically 5 to 15 minutes
- a restrictive predicate, regex, process name, subsystem, or specific error pattern tied to the suspected issue
- Cap each targeted log query to a very small candidate set, such as the most recent 10 to 20 matching lines.
- If a targeted query still produces noisy or weak evidence, summarize that the log follow-up was inconclusive and keep confidence low.
## Guardrails
- Stay on the current host only.
- Stay read-only. Do not change firewall rules, routes, DNS, services, or processes.
- Do not run `nmap`, `tcpdump`, Zeek, Suricata, `networkQuality`, speed tests, or any other active probing or packet-capture workflow.
- Do not guess a LAN subnet or expand beyond host-local inspection.
- Do not label a process, destination, or listener as malicious without direct evidence.
- On macOS, treat Application Firewall visibility and `pf` visibility as separate surfaces. If `pfctl` is unreadable, report a partial firewall result instead of implying full firewall coverage.
- If a tool or log source is unavailable, skip it and report the gap instead of substituting noisy heuristics.
## Output
Always return a Markdown report with this structure:
```markdown
## Local Network Monitor
### Scope
- Host: `<hostname or "current host">`
- Platform: `<macOS|Linux>`
- Time window: `<current snapshot window; log follow-up only if used>`
- Confidence: `<high|medium|low>`
### Ranked Findings
| Rank | Finding | Type | Evidence | Confidence | Suggested Next Step |
|---:|---|---|---|---|---|
### Current Snapshot
- Interfaces and routes: `<short summary>`
- Listeners: `<short summary>`
- Notable external connections: `<short summary>`
- Firewall posture: `<short summary>`
- Startup or persistence context: `<short summary or "not collected">`
- Recent log signals: `<short summary or "not queried">`
### Coverage Gaps
- `<missing visibility, unreadable source, or skipped check>`
```
Keep the report concise. Cite the exact command, table, or log source behind each ranked finding.How It Works
- Detects the local platform and available read-only tooling, preferring
osquerywhen installed. - Collects interface, route, DNS, listener, connection, firewall, and startup-item evidence from the current host.
- Ranks only meaningful issues, exposure findings, and posture gaps.
- Uses tightly targeted logs only when a snapshot finding justifies the follow-up.
- Returns one short Markdown report, or a partial report when some sources are unreadable.
sequenceDiagram
participant Agent
participant Host
participant Report
Agent->>Host: Detect platform and available tools
Agent->>Host: Read interfaces, routes, listeners, connections, logs, firewall state
Agent->>Report: Produce ranked findings with evidence and gaps
Note over Agent: No scans, no packet capture, no firewall or route changesPrerequisites
- The automation must run on the machine being inspected, or in an environment that can execute local shell commands on that machine
- Read access to network state and recent system logs
- Optional
osqueryfor more consistent cross-platform output
Optional Host Tooling
Install osquery on the target host if you want stronger socket, listener, and startup-item coverage.
macOS example:
brew install --cask osquery
osqueryi --json "select * from os_version;"Linux example:
sudo apt-get install osquery
osqueryi --json "select * from os_version;"If osquery is unavailable, the automation still works, but listener, socket, and startup-context coverage is weaker.
Cursor Cloud Usage
- Open Cursor Automations.
- Name your automation and paste local-network-monitor.md as the automation prompt.
- Make sure the runner is attached to the host you want to inspect. A generic hosted sandbox will inspect itself, not your laptop or server.
- No MCP setup is required. Optionally install
osqueryon the host for better portability across macOS and Linux. - Set the schedule or run manually, then save the automation.
Codex App Usage
- Click
Automation>New Automation. - Name your automation and paste local-network-monitor.md as the automation prompt.
- Run it only in a Codex environment that has shell access to the machine you want to inspect.
- No MCP setup is required. Optionally install
osqueryon the host for more consistent interface, route, and socket discovery. - Set the schedule or run manually and save the automation.
Claude Code / Codex CLI / Copilot Usage
- No extra MCP setup is required for the core workflow.
- Start the agent session on the host you want to inspect, or in a remote shell environment that can read that host’s local network state and logs.
- For repeated checks in an open Claude Code session, use
/loop, for example:
/loop 1d Follow the instructions in automations/local-network-monitor/local-network-monitor.md- For durable Claude-managed automation, use
/scheduleor create a Routine inclaude.ai/code/routines. - In Codex CLI or Copilot coding-agent environments, schedule this only if the runtime stays attached to the target host between runs.
Recommended Defaults
| Setting | Default |
|---|---|
| Host scope | current machine only |
| Platform | auto-detect macOS or Linux |
| Log review | disabled by default; targeted follow-up only |
| Interface scope | all non-loopback interfaces |
| Connection review | bounded sample of established external connections |
| Firewall mode | inspect only |
| Startup context | include when the host tooling already exposes it |
| Baseline mode | none unless explicitly provided |
| Output | Markdown report |
Keep the run conservative: prefer osquery when available, do not query logs by default, call out firewall or log visibility gaps explicitly, and keep common developer listeners or routine tunnel churn out of ranked findings unless stronger evidence supports them.
Prompt Inputs
Add context only when the host baseline is not obvious, for example:
Focus on en0, utun*, and the default route. Treat Docker bridge interfaces as low priority unless they show repeated errors or unexpected listeners.
Expected listeners: ssh on 22, Tailscale on 41641/udp, local Postgres on 5432 bound to loopback only.
Do not rank browser or package-manager egress unless it is long-lived, repeatedly failing, or connecting to unexpected countries or networks.
If you find a new non-loopback listener or repeated connection failures, include one concrete follow-up command to run manually before any system changes.Docs