Skip to content

Discover AI traffic — before installing anything

You shouldn't have to trust a vendor's TLS-inspecting proxy just to find out whether you have a problem. kilasec-discover answers "what on my network is talking to AI providers?" from logs you already have — one Python file, stdlib only, zero network capability, nothing leaves your machine.

bash
curl -O https://kilasec.com/agents/connectors/discover/kilasec_discover.py
less kilasec_discover.py     # one file, on purpose — read it first
python3 kilasec_discover.py dns.log --html report.html

Feed it what you have

Formats are auto-detected; mix freely in one run:

  • DNS logs — dnsmasq / Pi-hole (query[A] host from ip), or any DNS server export via the generic parser
  • Zeekssl.log / dns.log, TSV or JSON lines
  • Squid — native access.log (CONNECT lines carry the destination host)
  • A packet capture — classic pcap from tcpdump -w; it extracts DNS queries and TLS ClientHello SNI (SNI is cleartext in the handshake)
  • Anything else — firewall/proxy exports usually work through the generic parser: hostname-shaped tokens plus the first private IP per line

No logs at all? One capture window on your egress interface is enough:

bash
tcpdump -i eth0 -w capture.pcap 'port 53 or port 443' -G 3600 -W 1
python3 kilasec_discover.py capture.pcap --html report.html

What the report shows

  • Known AI providers — matched against the same ~30-endpoint registry the collector uses (OpenAI, Anthropic, Azure OpenAI, GitHub Copilot, Gemini, Bedrock, Groq, OpenRouter, local Ollama, …), with per-source attribution, counts, first/last seen.
  • Consumer frontends — chatgpt.com, claude.ai, Copilot and Gemini web: humans in browsers, listed separately from agent/SDK traffic.
  • Suspects — hosts on nobody's list with LLM-gateway-shaped names (ollama, llm, vllm, litellm, inference, …) or traffic to port 11434. This is where shadow gateways show up.

What it deliberately can't see

DNS and SNI reveal who talks to what — never what was said. Payloads stay encrypted end to end; this tool has no decryption capability and no way to send data anywhere (CI fails if a network-capable import ever appears in the file).

That's also the honest boundary: finding credentials or PII inside prompts, per-request policy, and redaction require an inline TLS-inspecting proxy — the collector, with scope controlling exactly which model endpoints get decrypted. Run discovery first; decide about inspection with the numbers in front of you.

Documentation for kilasec — the AI Agent Firewall.