connmap-tk, connmap-gtk2, connmap-gtk3: c->perl ports of connmap geoip visualizer
superkuh on blog at
connmap-(tk|gtk2|gtk3) and [connmapperl-server + connmapperl-client] are a set of geoip map visualization applications. They rapidly call 'ss' and 'lsof' for established tcp connections and shows geoip dots, program process name, ASN, and Org Name where the remote peer is. They also can right click on points to pop up a window with copyable-text and a form for doing offline whois look-ups. It does this only accessing database files stored on disk. No network calls or getting banned by whois servers. It was made with lots of gemini-2.5-pro LLM AI help.
To view source: connmap-tk.pl, connmap-gtk2.pl, connmap-gtk3.pl, connmap-simple-gtk3.pl, [connmapperl-server.pl + connmapperl-client.pl], connmapperlrc
To run the program(s): connmap-tk-gtk2-gtk3-and-utils.zip (79MB)
The size is from the included geoip dbs and regional internet registry whois dumps. Leave the .pl files in the extracted folder and just run them there.
The above are my simple ports and expanded forks from C to Perl of the X11 program connmap.
ref: https://github.com/h2337/connmap/
I did this because my Ubuntu 10.04 computer with Xorg 1.7 was too old to run the original connmap program. At least 1 of these 5 programs will run on almost anything from 1998 to 2025.
But as I did it I was having lots of fun so I added new obvious features and eventually diverged quite far from the base connmap code. Except in terms of lat,long to x,y calculation and the core concept; the hard stuff. That is still the same wonderful connmap logic.
"connmap-tk", "connmap-gtk2", "connmap-gtk3", and "connmapperl-server" have some extra features but don't have the ability to scale like connmap. "connmap-simple-gtk3" is a pure port with no extra features that can't scale like connmap either. None support "connmaprc" and instead use "connmapperlrc"; a new format.
"connmap-gtk2", "connmapperl-server", and "connmap-gtk3" are the best versions (though sometimes -gtk3 lags behind in features). They all load local/peer port map/color rules from config files which can be toggled on/off in the program by clicking the square buttons next to their name in the color key. They save all geoip points history, toggle with 'h' key, and can overlay them as white transparent circles scaled proportional to the number of times they appeared. They can save 's' and load 'l' this history file from disk. They can turn off global ip->asn/org-name look-ups and display globally by pressing 't'. They can right click near points and get a detailed list of their info as well as a field for doing full off-line whois lookups.
"connmap-simple-gtk3" is a direct port of connmap. No extra features. "connmap-tk" is somewhere in between.
"connmapperl-server" and "connmapperl-client" are the same program as "connmap-gtk2" but split into a gtk2 server/GUI and lightweight cli daemon clients which connect over the network via tcp/ip. It's really neat seeing all my computers and my VPSs active internet connections on one map at the same time on my home desktop. Since the client is pure perl and core modules only it runs on anything that has linux's "ss" and "lsof" programs.
Feature comparisons and Non-core Perl Dependencies
--- client/server architecture --- "connmapperl-server" is a windowless GUI program server that listens on a port for client data and displays. listens on port 6789 visual updates a tiny bit slower (1s), but client->server data updates are still fast (0.1s). uses Gtk2 (which rocks) which your modern OS probably doesn't have. can be dragged around with the mouse left-click hold. has right-click map to get list of points IPv4 info within circle near the mouse pointer. - optional ip2asn non-network based fully offline whois lookups for right click menu has 't' key toggle for doing the 'text' ASN/Org-Name look-ups and showing them. has 'h' key toggle for 'history' which shows all points seen scaled by count. has 's' and 'l' keys to 'save' and 'load' history points. has 'Esc' key to close and also an invisible exit button in the top right. loads ports/colors/names from config file "connmapperlrc" - does search/shows text depending on local/peer and port in "connmapperlrc" - can turn look-ups for rules on/off by clicking square next to their name in the key. - has 'c' config key to reload connmapperlrc file settings while running. Perl Dependencies: use Gtk2, use Cairo, use Glib, use Net::IP, use Text::CSV "connmapperl-client" is a tiny perl core modules only script that will run on everything, even routers. is headless and uses a tcp connection to connect to connmapperl-server requires the presence of $ ss and $ lsof binaries. connects to port 6789 Perl Dependencies: none --- single program architecture --- "connmap-gtk2" is windowless and can be dragged around with the mouse left-click hold. has right-click map to get list of points IPv4 info within circle near the mouse pointer. - optional ip2asn non-network based fully offline whois lookups for right click menu has 't' key toggle for doing the 'text' ASN/Org-Name look-ups and showing them. has 'h' key toggle for 'history' which shows all points seen scaled by count. has 's' and 'l' keys to 'save' and 'load' history points. has 'Esc' key to close and also an invisible exit button in the top right. uses Gtk2 (which rocks) which your modern OS probably doesn't have. loads ports/colors/names from config file "connmapperlrc" - does search/shows text depending on local/peer and port in "connmapperlrc" - can turn look-ups for rules on/off by clicking square next to their name in the key. Perl Dependencies: use Gtk2, use Cairo, use Glib, use Net::IP, use Text::CSV "connmap-tk" has a traditional window bar. hard coded: shows process name : port, ASN, and Org Name text for most ports is Tk. Tk never changes and is available on both old and new OSes. is Tk and so a little slower. Perl Dependencies: use Tk, use Net::IP, use Text::CSV "connmap-simple-gtk3" is a *direct* 1-to-1 connmap X11 feature port. is a simple port that just shows red dots. is what will run on most modern OSes. is windowless and can be dragged around with the mouse. Perl Dependencies: use Gtk3, use Cairo, use Glib "connmap-gtk3" is windowless and can be dragged around with the mouse left-click hold. has right-click map to get list of points IPv4 info within circle near the mouse pointer. - optional ip2asn non-network based fully offline whois lookups for right click menu has 't' key toggle for doing the 'text' ASN/Org-Name look-ups and showing them. has 'h' key toggle for 'history' which shows all points seen scaled by count. has 's' and 'l' keys to 'save' and 'load' history points. has 'Esc' key to close and also an invisible exit button in the top right. uses Gtk3 which is what will run on most modern OSes. loads ports/colors/names from config file "connmapperlrc" - does search/shows text depending on local/peer and port in "connmapperlrc" - can turn look-ups for rules on/off by clicking square next to their name in the key. Perl Dependencies: use Gtk3, use Cairo, use Glib, use Net::IP, use Text::CSV

The local/peer ports, their names, and their colors from a config file located in the same directory as it: connmapperlrc. These rules can be toggled for IP->ASN/Org-Name resolution and display by setting the last field to 0=Off or 1=On, or done so while the program is running by clicking their corresponding colored square in the key.
# connmapperlrc - Configuration for ConnMapperl # Format: KeyLabel,Type,Port,Red,Green,Blue,Alpha,ShowText # ShowText: 1 = Display dot and text, 0 = Display dot only "Webserver",local,80,0.2,0.5,1,0.8,1 "Webserver",local,443,0.2,0.5,1,0.8,1 "Web Surfing",peer,80,0.68,0.85,1.0,0.8,0 "Web Surfing",peer,443,0.68,0.85,1.0,0.8,0 "IRC",peer,6667,1,1,0.2,0.8,0 "IRC",peer,6669,1,1,0.2,0.8,0 "IRC",peer,6660,1,1,0.2,0.8,0 "IRC",peer,5555,1,1,0.2,0.8,0 "SSH Out",peer,22,0.6,0.2,0.8,0.8,0 "SSH In",local,22,0.7,0.2,0.6,0.8,0 "IMAP/S",peer,993,0.1,0.9,0.2,0.8,0 "IMAP/S",local,993,0.1,0.9,0.2,0.8,0 "smtpd",local,587,0.3,0.6,0.3,0.8,0 "Torrents",local,12000,1.0,0.4,0.7,0.8,0 "Torrents",peer,12000,1.0,0.4,0.7,0.8,0 "Shadowsocks",peer,31415,0.5,0.5,0.5,0.8,0 "Shadowsocks",local,31415,0.5,0.5,0.5,0.8,0 "Shadowsocks",peer,31416,0.5,0.5,0.5,0.8,0 "Shadowsocks",local,31416,0.5,0.5,0.5,0.8,0 "connmap",local,6789,0.5,0.5,0.1,0.8,0 "connmap",peer,6789,0.5,0.5,0.1,0.8,0 # By default only connections to the local webserver are shown with ASN+OrgName lookups # because that process is somewhat cpu and io intensive. This applies to the 'h' history # function too. Points matching local or peer ports with ShowText field 0 will not show # up as dots in history's scaled dot display. # Generally anything that's always going that you already know about set ShowText 0 to # ignore and not blow out the history heatmap.
Right-click the map to get a selectable text pop-up of IPs near the click. The white circle which appears briefly shows the range. Local whois/peering look-ups available in the pop-up window detail list.


There a lots of comments at the top of the source re: configuration required if any. Paths are set relative to the folder so as long as ./resources/ exists and you have the perl modules required it should work.
An aside on the lack of libgtk2-perl on many distros
I actually ended up patching, building, and packaging libgtk2-perl for Debian 11 and 12 because Debian dropped libgtk2-perl in 2020 on the urging of, you guessed it, the GNOME team.
There are a few tricks to getting it to work but the most important one is at the very top of the ./libgtk2-perl/debian/rules file (on a new line before any other text), adding the following line:
export OPTIMIZE='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g'
Without this it's all "xs/Gtk2.c: loadable library and perl binaries are mismatched (got handshake key 0xce00080, needed 0xed00080)" errors when Gtk2 is actually attempted to be used.
Otherwise it was just a matter of changing some paths and versions in the ./DEBIAN/control file of the libgtk2-perl_1.24993-1_amd64.deb produced after, "$ DEB_BUILD_OPTIONS=nocheck debuild -us -uc -b" like changing DEBIAN/control so that perlapi-5.28.1 -> perlapi-5.32.1, and changing the folder name of ./usr/lib/x86_64-linux-gnu/perl5/5.28 to ./usr/lib/x86_64-linux-gnu/perl5/5.32 (for Debian 11, for other distros use the appropriate perl version/path).
I did this by unpacking the produced .deb, dpkg-deb -R libgtk2-perl_1.24993-1_amd64.deb tmp/ Then doing the above changes manually, then repacking, dpkg-deb -b tmp libgtk2-perl_1.24993-1_GOODPATHSWORKING_amd64.deb
Then there's the command line tools I made for offline whois.
If connmap-gtk2.pl detects ip2asn.pl in the directory it will offer the option to use it for all local (no network connectivity needed) look-ups of whois dumps from the regional internet registries.
source: ip2asn.pl
Non-Core Perl Dependencies: use Net::IP, use Text::CSV
Full package w/utils scripts and data sources: connmap-tk-gtk2-gtk3-and-utils.zip (79MB)
"ip2asn" is a sort of janky fully-local "whois" for all 5 regional internet registries. The other scripts are for processing the raw data to a form usable for ip2asn.pl It started as a scratch pad for testing which were the best ways to go from IP to organization name but eventually became a useful tool in it's own right to avoid getting throttled by internet whois servers when doing many lookups in a row.
It uses 4 diferent methods to try to go from IP to ASN and org name. The first 3 methods are relatively fast. The 4th, awk'ing through big whois dumps, is not.
It is called like: $ ./ip2asn 94.74.97.164 --- Found IP Information for: 94.74.97.164 --- Registry: apnic Country Code: SG Start IP: 94.74.64.0 Range Size: 16384 Status: allocated Opaque ID: A917E678 --- Associated ASN Records --- HUAWEI INTERNATIONAL PTE. LTD. ASN: 131444, Count: 1, Status: allocated, Date: 20160715 ASN: 136907, Count: 1, Status: allocated, Date: 20170807 ASN: 141180, Count: 1, Status: allocated, Date: 20200914 ASN: 149167, Count: 1, Status: allocated, Date: 20211206 ASN: 151610, Count: 1, Status: allocated, Date: 20230712 HUAWEI INTERNATIONAL PTE. LTD. 22.2908 , 114.1501136907 - "HUAWEI CLOUDS" aut-num: AS131444 as-name: HIPL-AS-AP descr: Huawei IT Data Center in AP country: HK remarks: -------------------------------------------------------- remarks: To report network abuse, please contact mnt-irt remarks: For troubleshooting, please contact tech-c and admin-c remarks: Report invalid contact via www.apnic.net/invalidcontact remarks: -------------------------------------------------------- org: ORG-HIPL2-AP admin-c: HIPL7-AP tech-c: HIPL7-AP abuse-c: AH905-AP mnt-lower: MAINT-HIPL-SG mnt-routes: MAINT-HIPL-SG mnt-by: APNIC-HM mnt-irt: IRT-HIPL-SG last-modified: 2020-06-17T13:05:46Z source: APNIC
It doesn't always work that nicely though. And lacnic entries are pretty bare. All this is done by including 600 MB of RIR ipv4 delegation files, all five regional internet registry's whois and peering dumps, various maxmind geolite ip->lat,long csv databases, and caida.org/archive/as2org/ as-org2info.txt. See appendix for URLs
Appendix of various resources and notes
### the various resources/* files and where they come from to update them. ## RIR whois/peering db # RIPE NCC https://ftp.ripe.net/ripe/dbase/split/ripe.db.aut-num.gz # ARIN https://ftp.arin.net/pub/rr/arin.db.gz # APNIC https://ftp.apnic.net/apnic/whois/apnic.db.aut-num.gz # LACNIC https://ftp.lacnic.net/lacnic/dbase/lacnic.db.gz # AFRINIC https://ftp.afrinic.net/dbase/afrinic.db.gz ## RIR Delegation files # https://www-public.telecom-sudparis.eu/~maigron/rir-stats/ # https://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-extended-latest # https://ftp.apnic.net/stats/apnic/delegated-apnic-extended-latest # https://ftp.arin.net/pub/stats/arin/delegated-arin-extended-latest # https://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-extended-latest # https://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-extended-latest
early version of the gtk2 port, what the gtk3 port looks like

recent version during a distributed botnet attempting to mirror the entire website at once

connmap-tk with integrating time lapse mode enabled by commenting out the "connection_item" tag on the dots:
# 1. Draw the dot using Tk::Canvas->createOval $canvas->createOval( $x - $radius, $y - $radius, $x + $radius, $y + $radius, -fill => $dot_color, -outline => $dot_color, # Use same color for outline to make a solid dot # -tags => 'connection_item', );
It's easy to see there is some error in the geoip placement on the map gif background.

[comment on this post] Append "/@say/your message here" to the URL in the location bar and hit enter.