See what your network is actually doing — live, in your terminal.
A network monitor that reads encrypted traffic, names the process behind every connection, and catches malware calling home. One binary. Zero config.
Reading the plaintext out of a live TLS 1.3 session — decrypted right in the terminal. No proxy, no man-in-the-middle.
Most network tools answer one question — "what's using my bandwidth?" — and stop. NetWatch keeps going. It decodes the protocols on the wire, tells you which program opened each connection, and watches for the patterns that mean trouble — a port scan, malware beaconing to a command server, data sneaking out over DNS. When something looks wrong, one keypress freezes a portable evidence bundle you can attach to a bug report.
Think of it as one zero-config binary that does the job of a bandwidth meter, the triage view of Wireshark, and a lightweight intrusion detector — without leaving the terminal.
Made for blue-teamers, incident responders, SREs, and homelabbers who need to see what's happening right now — not parse a capture file an hour later.
500+ tests · Landlock-sandboxed · safely parses hostile traffic
A quick tour of the live TUI — dashboard, deep packet inspection, network topology with traceroute, and automatic alerting, all in one terminal.
- 🔓 Read encrypted traffic you control — point a browser or app's
SSLKEYLOGFILEat NetWatch and watch the plaintext of its TLS 1.3 sessions decode live, the same way Wireshark does it. No proxy, no certificates, nothing in the middle. - 🧬 Fingerprint the software behind a connection — JA4 turns each TLS/QUIC handshake into a stable fingerprint, so you can recognize a specific client — or a specific piece of malware — even though the traffic is encrypted, the way you'd recognize a browser by its user-agent. Pivot on a fingerprint to find every other flow from the same software.
- 🚨 Catch malware calling home — built-in detection for C2 beaconing (regular, low-jitter check-ins), port scans, and DNS tunneling runs in the background with zero setup. A critical alert auto-freezes the recorder so the evidence is already saved when you look.
- ⚙️ Name the process behind every connection — a kernel-level eBPF probe attributes each socket to the program that opened it, not a best-guess from polling. Falls back gracefully where eBPF isn't available.
- 📡 Decode the protocols, not just the ports — real L7 parsing of TLS, QUIC, HTTP, DNS, SSH, and a dozen more, with TCP stream reassembly and handshake timing — so you see
api.github.comand the JA4 fingerprint, not just "port 443." - 🎥 Freeze the evidence — arm a rolling recorder and freeze any incident into a portable bundle: the packets plus the connections, DNS, health, and alerts that explain them. Built for bug reports and post-mortems.
- 🛡️ Safe by design — after setup, NetWatch drops its privileges and locks itself into a Landlock filesystem allow-list (Linux). A tool that parses hostile traffic cannot read your SSH keys, browser profiles, or
/etc/shadow.
No config files. No setup. No flags required.
# Homebrew (macOS / Linux)
brew install matthart1983/tap/netwatch
# Cargo
cargo install netwatch-tui
# Or grab a pre-built binary from ReleasesAll platforms & build-from-source
| Platform | Download |
|---|---|
| Linux (x86_64, Debian/Ubuntu) | netwatch-linux-x86_64.tar.gz |
| Linux (aarch64, Debian/Ubuntu) | netwatch-linux-aarch64.tar.gz |
| Linux (x86_64, static — Arch/Fedora/Alpine/any distro) | netwatch-linux-x86_64-static.tar.gz |
| Linux (aarch64, static — Arch/Fedora/Alpine/any distro) | netwatch-linux-aarch64-static.tar.gz |
| macOS (Intel) | netwatch-macos-x86_64.tar.gz |
| macOS (Apple Silicon) | netwatch-macos-aarch64.tar.gz |
The -static Linux builds bundle libpcap and have no runtime dependencies — use these on Arch, Fedora, Alpine, or any distro where the default builds report libpcap.so.0.8: cannot open shared object file.
From source:
git clone https://github.com/matthart1983/netwatch.git && cd netwatch
cargo build --releasePrerequisites: Rust 1.70+, libpcap (sudo apt install libpcap-dev on Linux, included on macOS).
netwatch # interface stats, connections, config — no privileges needed
sudo netwatch # full mode — adds live packet capture + health probesThat's it. Switch tabs with 1–9, press ? for help, q to quit. The Dashboard is useful in five seconds; everything below is there when you need to go deeper.
Linux without
sudo: grant the capture capabilities once and run as your normal user —sudo setcap 'cap_net_raw,cap_bpf,cap_perfmon+eip' "$(which netwatch)". Re-run it after every upgrade (details).
The fastest way to understand what NetWatch is — watch it read the plaintext of a TLS 1.3 session you control:
sudo netwatch # 1. launch, then open the Packets tab (4)
SSLKEYLOGFILE=/tmp/sslkeylog.txt curl https://example.com # 2. any client that exports its keys
# 3. filter the Packets tab with: decrypted:trueThe decrypted application data renders inline. A keylog miss never breaks capture — that record just stays opaque. (SSLKEYLOGFILE is the same mechanism Wireshark uses; it only works for traffic you control, never third-party or malware traffic.)
Nine tabs, switched with 1–9:
| # | Tab | What it shows |
|---|---|---|
| 1 | Dashboard | Interfaces, bandwidth graph, top connections, gateway/DNS health, latency heatmap. Useful in 5 seconds. |
| 2 | Connections | Every socket with its process + PID, protocol, state, GeoIP, and latency sparklines. |
| 3 | Interfaces | Per-interface IPv4/IPv6, MAC, MTU, RX/TX, errors, drops. |
| 4 | Packets | Live capture with real L7 decode, TLS 1.3 decryption, JA4, stream reassembly, filters, PCAP export. |
| 5 | Stats | Protocol breakdown by bytes + TCP handshake-timing histogram. |
| 6 | Topology | ASCII map of machine → gateway → DNS → top hosts, with traceroute. |
| 7 | Timeline | Connection timeline color-coded by TCP state; security alerts land here. |
| 8 | Processes | Per-process bandwidth ranking with live RX/TX and connection counts. |
| 9 | Insights | (opt-in) feeds a snapshot to a local/cloud LLM for plain-language analysis. |
The Packets tab is where the forensics live — deep protocol decoding, live TLS 1.3 decryption, JA4 threat-hunting, Wireshark-style display filters, and incident capture. See the full feature reference →
| Guide | What's in it |
|---|---|
| Feature reference | Every keybinding, the display-filter language, protocol decoder list, themes, and config options. |
| TLS 1.3 decryption | How SSLKEYLOGFILE decryption works, supported cipher suites, and what it can and can't read. |
| Threat hunting with JA4 | Fingerprinting clients and pivoting across flows. |
| Security & the Landlock sandbox | The threat model, capability dropping, and the filesystem allow-list. |
| Flight Recorder | Arming, freezing, and the contents of an incident bundle. |
| AI Insights | Optional local/cloud LLM analysis (off by default). |
Raw bytes → Ethernet → IPv4/IPv6/ARP → TCP/UDP/ICMP → L7 decoders
↓
Stream reassembly · Handshake timing
TLS 1.3 decryption · JA4 · Threat detection
| Collector | macOS | Linux |
|---|---|---|
| Connections | lsof + PKTAP |
/proc/net/tcp + eBPF kprobe |
| Packets | libpcap (BPF) | libpcap |
| Process attribution | PKTAP | eBPF kprobe, with lsof/ss fallback |
Everything degrades gracefully: features that need elevated privileges show a clear message and fall back, never crash. Full architecture notes live in WIKI.md.
Siblings: SysWatch (system) and DiskWatch (disk) — same chrome, different surface. ESSH — a pure-Rust SSH client with the same TUI aesthetic; connects where NetWatch observes.
NetWatch Cloud — hosted fleet monitoring for the servers you run NetWatch against. A tiny Rust agent on each Linux host, a real-time dashboard, and email + Slack alerts on latency, packet loss, or hosts going offline. Free while we grow. The agent, SDK, and dashboard are MIT; the hosted backend is proprietary.
Questions, ideas, and bug reports are welcome in GitHub Discussions and Issues. See CONTRIBUTING.md for coding conventions and WIKI.md for the architecture guide.
MIT