Real-time network diagnostics in your terminal. One command, zero config, instant visibility.

Launch → see every interface, connection, and health probe instantly. Arm the flight recorder before an incident disappears.

Siblings: SysWatch (system) and DiskWatch (disk). Same chrome. Different surface.

# Homebrew (macOS / Linux)
brew install matthart1983/tap/netwatch

# Cargo
cargo install netwatch-tui

# Pre-built binaries — see Releases

git clone https://github.com/matthart1983/netwatch.git && cd netwatch
cargo build --release

netwatch            # Interface stats, connections, config
sudo netwatch       # Full mode — adds health probes + packet capture
netwatch --generate-config

Packet capture and eBPF process attribution need elevated capabilities, but you don't have to run the whole TUI as root. Grant them once to the binary and netwatch works for your normal user thereafter:

sudo setcap 'cap_net_raw,cap_bpf,cap_perfmon+eip' "$(which netwatch)"
netwatch

Without them netwatch still runs — it falls back to ss/lsof-style polling for process attribution and skips packet capture. The Connections tab's header surfaces the active source (attribution: ebpf, attribution: pktap, or attribution: lsof — ebpf unavailable: …) so you can tell at a glance which path is live.

Catch transient failures that vanish before you can inspect them:

Shift+R   Arm a rolling 5-minute recorder
Shift+F   Freeze the current incident window
Shift+E   Export an incident bundle to ~/netwatch_incident_YYYYMMDD_HHMMSS/

Each bundle includes summary.md, connections.json, health.json, bandwidth.json, dns.json, alerts.json, manifest.json, and packets.pcap when capture data is available.

Most network tools make you choose: see what's happening (iftop, bandwhich) or inspect packets (Wireshark, tshark). NetWatch does both in a single terminal — from a 10,000-foot dashboard view down to individual packet bytes.

No config files. No setup. No flags required.

Everything at a glance — interfaces, aggregate bandwidth graph, top connections, gateway/DNS health probes, and a color-coded latency heatmap. Useful in 5 seconds.

Every open socket with process name, PID, protocol, state, remote address, GeoIP location, and per-connection latency sparklines. Sort by any column, jump to filtered packet view.

Per-interface detail: IPv4/IPv6 addresses, MAC, MTU, total RX/TX with individual sparkline history, errors, and drops.

Live capture with deep protocol decoding — DNS (queries, types, response codes), TLS (version, SNI), HTTP (method, path, status), ICMP, ARP, DHCP, NTP, mDNS, and 25+ service labels. TCP stream reassembly, handshake timing, display filters, BPF capture filters, bookmarks, and PCAP export.

Per-process bandwidth ranking with live RX/TX rates, totals, and connection counts. Useful for spotting the process behind a noisy host or bandwidth spike.

Arm a rolling 5-minute capture window, then freeze it manually or when a critical network-intel alert fires. Export a self-contained incident bundle with a human-readable summary, .pcap, connection/process context, health samples, DNS analytics, and alert history.

ASCII network map showing your machine, gateway, DNS servers, and top remote hosts with connection counts and color-coded health indicators. Built-in traceroute from any host.

Protocol hierarchy table with packet counts, byte totals, and distribution bars. TCP handshake histogram with min/avg/median/p95/max.

Gantt-style connection timeline — when each connection was active, color-coded by TCP state. Adjustable windows from 1 minute to 1 hour.

Feed a live snapshot of your network — protocol mix, top talkers, DNS queries, connection states, health probes, expert warnings — to an LLM every 15 seconds and get bullet-point analysis rendered in the TUI. Surfaces anomalies, beaconing patterns, suspicious DNS, and health regressions you might miss scrolling through raw data.

Off by default. Enable via Settings (,) → AI Insights: on. Supports local Ollama (default), a remote Ollama host on your network, or Ollama cloud models — point the AI Endpoint setting at the cloud URL and skip local setup entirely. No API keys in netwatch. See INSIGHTS.md for full setup.

Built-in settings overlay for theme, default tab, refresh rate, capture interface, packet-follow mode, GeoIP paths, BPF filter, AI Insights, and alert thresholds. Use , to open it and S to persist changes.

Wireshark-style filter syntax in the Packets tab:

tcp                        # Protocol
192.168.1.42               # IP address (src or dst)
ip.src == 10.0.0.1         # Directional
port 443                   # Port
stream 7                   # Stream index
contains "hello"           # Text search
tcp and port 443           # Combinators
!dns                       # Negation
google                     # Bare word → contains "google"

When the Flight Recorder is armed, NetWatch keeps a bounded rolling window of evidence. On freeze or export, it writes:

netwatch_incident_20260403_103501/
  summary.md
  manifest.json
  connections.json
  health.json
  bandwidth.json
  dns.json
  alerts.json
  packets.pcap   # present when packets were captured

This makes bug reports, incident reviews, and demos much easier: you keep the packet evidence and the operational context that explains it.

Degrades gracefully — features that need root show a clear message, never crash.

5 built-in themes with instant switching via t:

Dark (default) · Light · Solarized · Dracula · Nord

Theme changes apply immediately. Persist them from the Settings overlay with S.

NetWatch runs well with zero setup, but you can persist preferences for theme, default tab, refresh rate, capture interface, GeoIP database paths, packet-follow behavior, BPF filter, and alert thresholds.

netwatch --generate-config

That writes a starter config file to your platform config directory. You can also edit settings live in the app with , and save with S.

Raw bytes → Ethernet → IPv4/IPv6/ARP → TCP/UDP/ICMP → DNS/TLS/HTTP/DHCP/NTP
                                             ↓
                               Stream tracking · Handshake timing
                               Expert info · Payload extraction

ESSH — If you manage the hosts you monitor, ESSH is built for the same workflow. Same TUI aesthetic, pure-Rust SSH client with concurrent sessions, live remote host diagnostics (CPU, memory, disk, processes — no agent install), fleet management, file transfer, and port forwarding. Connects where NetWatch observes.

NetWatch Cloud — Hosted fleet monitoring for the servers you run NetWatch against. Tiny Rust agent on each Linux host, real-time dashboard, email + Slack alerts on latency, packet loss, or hosts going offline. Free while we grow.

NetWatch Cloud is a separate codebase with its own open-source ecosystem (this TUI is intentionally independent — same author, different philosophy):

• netwatch-sdk — shared Rust wire format + headless collectors (crates.io)
• netwatch-agent — audit-able Rust binary that runs on your hosts and reports to NetWatch Cloud
• netwatch-dashboard — Next.js web UI for the hosted backend

The hosted backend is proprietary; the agent, SDK, and dashboard that talk to it are MIT.

Contributions welcome! See CONTRIBUTING.md for coding conventions and WIKI.md for a current architecture guide.

MIT