HTTPToolkit Server sending/receiving large amount of data from

[tiger9502]

When I start HTTPToolkit (MacOS), even without intercepting anything, after a while I notice large amount of traffic to/from a github server:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 26095 t_w 25u IPv4 0xcb5eeb155b5d3b75 0t0 TCP macbookpro.lan:55704->lb-140-82-116-3-sea.github.com:https (ESTABLISHED)

When I say large amount, I mean it's constantly sending traffic, often in the gigabytes.
I tried to look into what this is doing but so far I haven't traced where these connections are made from.

In the processes I see these:

26092 ?? 0:00.44 /Applications/HTTP Toolkit.app/Contents/Frameworks/HTTP Toolkit Helper.app/Contents/MacOS/HTTP Toolkit Helper --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=network --user-data-dir=/Users/t_w/Library/Application Support/httptoolkit --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --shared-files --field-trial-handle=1718379636,r,87867599167215501,744985615024557052,262144 --enable-features=ScreenCaptureKitPickerScreen,ScreenCaptureKitStreamPickerSonoma --disable-features=SpareRendererForSitePerProcess --variations-seed-version --seatbelt-client=25
26095 ?? 0:02.57 HTTP Toolkit Server
26096 ?? 0:08.07 /Applications/HTTP Toolkit.app/Contents/Frameworks/HTTP Toolkit Helper (Renderer).app/Contents/MacOS/HTTP Toolkit Helper (Renderer) --type=renderer --user-data-dir=/Users/t_w/Library/Application Support/httptoolkit --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-path=/Applications/HTTP Toolkit.app/Contents/Resources/app.asar --enable-sandbox --js-flags=--expose-gc --lang=en-US --num-raster-threads=4 --enable-zero-copy --enable-gpu-memory-buffer-compositor-resources --enable-main-frame-before-activation --renderer-client-id=4 --time-ticks-at-unix-epoch=-1739456143460180 --launch-time-ticks=91667634034 --shared-files --field-trial-handle=1718379636,r,87867599167215501,744985615024557052,262144 --enable-features=ScreenCaptureKitPickerScreen,ScreenCaptureKitStreamPickerSonoma --disable-features=SpareRendererForSitePerProcess --variations-seed-version --seatbelt-client=73

What is the node server doing? why does it connect to this remote server?

[pimterry]

Hi @tiger9502

What is the node server doing?

The server provides all of the backend of HTTP Toolkit: the proxy server itself, and the integrations into each supported target (Docker, Android, iOS, Frida, the JVM, each supported browser, etc etc etc).

why does it connect to this remote server?

There's a variety of things downloaded dynamically at various times, often from GitHub, but generally only when specific interception features are activated (e.g. the APK release for the target Android architecture is downloaded when you use ADB interception, if you don't have an appropriate version already cached).

It's hard to tell what exactly the specific traffic you describe here is without more details, but most likely case is that this is the server updating itself, since that's really the only thing I can think of that might come from GitHub without any other trigger. The server releases are published on github (in this same repo: https://github.com/httptoolkit/httptoolkit-server/releases) and the server checks for updates at frequent intervals, and pulls the latest version if there's a new release available. The server is built with Oclif, and uses Oclif's built-in auto-update plugin to implement this: https://github.com/oclif/plugin-update.

There certainly shouldn't be gigabytes of traffic like that though - 50MB at most, and only if your server is outdated. Do you have any details on the frequency and size of each burst of traffic here? E.g. is it 50MB every 5 minutes, or a constant stream, or something else?

Can you share your HTTP Toolkit logs? On Mac that's available in /Users/<username>/Library/Logs/httptoolkit/last-run.log. That might have some clues.