Find the shadow AI on your network
Drop in logs you already have — DNS, proxy, or a packet capture — and see every AI service being called from your network, and by which machines. Including the private LLM gateways nobody told you about.
How to get your logs
Any one of these works. DNS or proxy/SNI logs from the network edge give the clearest picture.
Pi-hole / dnsmasq (easiest)
Pi-hole and dnsmasq log every DNS lookup. Grab the query log:
sudo cp /var/log/pihole/pihole.log ~/pihole.log # Pi-hole v6 # or older Pi-hole / plain dnsmasq: sudo cp /var/log/dnsmasq.log ~/dnsmasq.log
Drop that file above. Each query[A] host from 10.x.x.x line becomes a data point.
Squid proxy
Squid's access log carries the CONNECT host (SNI) for HTTPS:
sudo cp /var/log/squid/access.log ~/squid-access.log
Drop it above — native Squid format is auto-detected.
Zeek / Corelight
Use dns.log and/or ssl.log (TSV with the #fields header, or JSON):
cp /opt/zeek/logs/current/ssl.log ~/ssl.log cp /opt/zeek/logs/current/dns.log ~/dns.log
Drop either or both.
pfSense / OPNsense / other firewall
Export the DNS Resolver (Unbound) or proxy log, or any firewall log that records destination hostnames. The generic parser pulls hostnames + a client IP out of most exports — just drop the file and see what it finds.
Packet capture (Wireshark or tcpdump) — no logs handy
Capture a few minutes at a choke point (a mirror port, or the gateway). The tool reads DNS queries and TLS SNI — it never decrypts anything. Both Wireshark's default .pcapng and tcpdump's .pcap work — just drop the file, no conversion.
sudo tcpdump -i any -w ~/capture.pcap -s 400 'port 53 or port 443' # …let it run a bit, Ctrl-C, then drop capture.pcap above
In Wireshark, just File → Save As and drop the result. A small snap length
(-s 400) is plenty — only DNS names and the TLS handshake are read.