NetScope Documentation

Documentation

Everything you need to install, configure, and operate NetScope across all three products.

Desktop App Capture Agent SaaS Hub
Getting Started

What is NetScope?

NetScope is a full-stack network observability platform built for security and operations teams. It consists of three products that work independently or together: a native Desktop App for live packet capture, a headless Capture Agent for server and cloud deployments, and a SaaS Hub that aggregates flows from any number of agents into a searchable, alerting-capable analytics platform.

The entire pipeline — from raw packets to searchable flows — is designed for high throughput with minimal overhead. The capture core is written in Rust; the Hub backend uses Go with ClickHouse for storage, giving you sub-second query times even on hundreds of millions of flows.

How the products connect

🖥️ Desktop App
local capture
Hub Connect Mode
Hub
Capture Agent
pcap / eBPF
enrollment + push
Hub
Hub
ClickHouse
+
SIEM / Webhooks
Desktop App

NetScope Desktop

A native macOS and Windows application that turns your laptop or workstation into a real-time packet analyser. No tcpdump, no Wireshark filters — just open the app, pick an interface, and see enriched, decoded flows in milliseconds.

🦀

Rust Capture Core

Zero-copy packet processing with libpcap bindings. Sub-millisecond first-packet latency at line rate on a MacBook.

🔬

Deep Protocol Decode

Full reassembly and decode for DNS, TLS 1.2/1.3, HTTP/1.1, HTTP/2, gRPC, ICMP, and ARP out of the box.

🌍

GeoIP Enrichment

Every external IP is tagged with country, ASN, and org automatically using bundled MaxMind GeoLite2 databases.

🛡️

Threat Intel Badges

IPs are cross-referenced against bundled threat feeds. Malicious or suspicious hosts surface a coloured threat badge instantly.

⚙️

Process Attribution

On macOS, each flow is annotated with the originating process name and PID — no guesswork about which app is making that connection.

🔗

Hub Connect Mode

One toggle streams all captured flows to your NetScope Hub, letting you centralise data from every machine in your team.

Installation

NetScope Desktop ships as a signed .dmg (macOS) and .exe installer (Windows). Download from the download page and run the installer — no additional runtime dependencies required.

⚠️
macOS Gatekeeper Note Code signing and notarization is in progress. Until the next release, right-click the .dmg and choose Open to bypass Gatekeeper on first launch. Apple Silicon and Intel are both supported.
PlatformRequirementNotes
macOS 13+Apple Silicon or Intel, 4 GB RAMNotarization pending — use right-click Open
Windows 10/11x64, Npcap or WinPcap installedDownload Npcap free edition if not already installed

Live Capture

Select any available network interface (en0, Wi-Fi, Ethernet, VPN tunnel) from the interface picker at the top of the window. Capture starts immediately. You can switch interfaces without restarting the application.

💡
BPF Filter Support Type any valid Berkeley Packet Filter expression in the filter bar (e.g. port 443 or host 1.2.3.4) to narrow capture scope. Filters are applied at the kernel level for zero-overhead filtering.

The flow table refreshes in real time. Each row represents a completed or active TCP/UDP flow with protocol, source/dest IPs and ports, packet/byte counts, duration, and any decoded application data. Scroll back through the session history — flows are retained in memory until the session is cleared or the app restarts.

Protocol Support

NetScope decodes the following application-layer protocols with full field extraction:

ProtocolDecoded FieldsNotes
DNS Query name, type (A/AAAA/MX/TXT/…), response IPs, TTL, RCODE UDP & TCP DNS, DoT detection
TLS SNI hostname, cipher suite, TLS version, cert SANs, issuer, expiry TLS 1.0–1.3; certificate sidebar on click
HTTP/1.1 Method, URI, Host header, status code, response size, user-agent Full request/response in detail pane
HTTP/2 Method, :authority, :path, status, HPACK headers, stream IDs ALPN negotiation-based detection
gRPC Service, method, status code, content-type, frame metadata Detected on HTTP/2 + application/grpc content-type
ICMP Type, code, echo id/seq for ping traffic IPv4 and IPv6
ARP Operation (request/reply), sender/target IP and MAC Layer-2 visibility for LAN monitoring

Threat Intelligence

Every external IP is checked against bundled threat intelligence feeds on first observation. Matching IPs receive a coloured badge in the flow table:

BadgeMeaning
HIGHKnown malware C2, active botnet node, or confirmed threat actor IP
MEDSuspicious — tor exit node, scanning host, or grey-listed IP
LOWWatchlisted — VPN endpoint, proxy, or data centre IP with no active threat

Feeds are embedded in the application binary and updated with each release. When Hub Connect Mode is active, the Hub's live threat feed is used instead, giving you real-time intelligence updates without waiting for a new app version.

UI Panes

The Desktop UI uses a three-pane layout. Each pane is resizable and can be collapsed to focus on what matters.

PaneContents
Flow List (left) Scrollable, real-time table of all captured flows. Click any row to select it and populate the detail panes.
Flow Detail (top right) Full decoded fields for the selected flow — protocol headers, decoded payload, GeoIP, threat badge, and process name.
Analytics / TLS Sidebar (bottom right) Context-sensitive: shows the TLS certificate chain for TLS flows, HTTP analytics (top hosts, methods, status codes) for HTTP flows, and a service dependency graph for all traffic.

Hub Connect Mode

Enable Hub Connect Mode in Settings → Hub Connection. Enter your Hub URL and an API token generated in Hub Settings → Tokens. Once connected, all flows captured on this machine are streamed to the Hub in real time.

Configuration 
# Settings → Hub Connection
Hub URL     :  https://your-hub.example.com
API Token   :  nst_xxxxxxxxxxxxxxxxxxxx
Auto-start  :(reconnect on app launch)
Label       :  Alice-MacBook  # appears in Hub Fleet view

The connection is a persistent WebSocket over TLS. If the Hub is temporarily unreachable, the Desktop buffers up to 50,000 flows in memory and replays them on reconnect.

Capture Agent

NetScope Capture Agent

A lightweight, headless capture daemon designed for servers, cloud VMs, Kubernetes nodes, and network appliances. Deploy it once and it reports flows to the Hub continuously — no GUI, no manual intervention, zero local storage.

Dual Capture Modes

Choose libpcap for maximum compatibility or eBPF for kernel-level capture with near-zero CPU overhead on Linux 5.8+.

🔑

One-Line Enrollment

A single curl command downloads, installs, and enrolls the agent. The Hub generates a unique token per agent for secure identification.

📡

Multi-Interface

Capture on any number of interfaces simultaneously. Useful for tap ports, SPAN sessions, and bonded NICs.

☁️

Cloud VPC Support

Ingest VPC Flow Logs from AWS, GCP, and Azure directly in the Hub, complementing agent-based capture for cloud workloads.

🔄

Remote Config Push

Update capture filters, interface selection, or sampling rate from the Hub Fleet page — no SSH required.

🏷️

Cluster Labels

Tag agents with environment, region, or role labels. Filter flows in the Hub by any label combination.

Installation

The quickest path is the Hub-hosted install script. Navigate to Hub → Fleet → Add Agent and copy the generated command:

bash 
# Generated by Hub — includes your token automatically
curl -sSL "https://your-hub.example.com/api/v1/agents/install?token=nst_xxx" | sudo bash

This script detects your OS and architecture, downloads the correct binary, installs it to /usr/local/bin/netscope-agent, writes a systemd unit (Linux) or launchd plist (macOS), and starts the service automatically.

ℹ️
Manual Installation Download the binary from the releases page and run netscope-agent --hub https://… --token nst_xxx. Use your init system to run it as a service.

Capture Modes

pcap mode (default)

Uses libpcap to capture packets from network interfaces. Works on all platforms. Suitable for moderate traffic volumes. Root or CAP_NET_RAW capability required.

bash 
netscope-agent \
  --hub       https://hub.example.com \
  --token     nst_xxxxxxxxxxxxxxxx \
  --iface     eth0 \
  --mode      pcap \
  --filter    "not port 22"  # exclude SSH

eBPF mode (Linux 5.8+)

Attaches an XDP / TC eBPF program directly in the kernel's network stack. Dramatically lower CPU usage at high packet rates. No buffer drops under sustained 10 Gbps. Requires Linux kernel 5.8+ and root.

bash 
netscope-agent \
  --hub   https://hub.example.com \
  --token nst_xxxxxxxxxxxxxxxx \
  --iface eth0 \
  --mode  ebpf

Enrollment & Tokens

Each agent authenticates to the Hub using a unique enrollment token. Tokens are generated in the Hub under Fleet → Add Agent or via the API. Tokens can be revoked at any time from the Fleet page without restarting the agent — it will receive a 401 and stop forwarding flows.

Token ScopeDescription
agent-enrollOne-time token used during initial enrollment to exchange for a long-lived agent credential
agent-writeLong-lived credential stored on the agent. Used for ongoing flow submission
api-readFor Hub API read access from external tools or scripts
api-adminFull Hub API access including agent management and configuration

Configuration

The agent can be configured via command-line flags, environment variables, or a YAML config file at /etc/netscope/agent.yaml.

yaml — /etc/netscope/agent.yaml 
hub:     https://hub.example.com
token:   nst_xxxxxxxxxxxxxxxx
mode:    ebpf         # pcap | ebpf
ifaces:
  - eth0
  - eth1
filter:  "not port 22"
labels:
  env:    production
  region: us-east-1
  role:   web
batch_size:   500    # flows per HTTP push
flush_interval: 2s    # max wait before push
log_level:    info   # debug | info | warn | error

Remote Config Push

From Hub → Fleet → [Agent] → Configure, you can remotely update the filter expression, interface list, or labels without restarting the agent. Configuration changes are pushed over the existing WebSocket connection and applied within seconds.

SaaS Hub

NetScope Hub

The Hub is the central brain of a NetScope deployment. It receives flows from any number of agents and Desktop instances, stores them in ClickHouse, and exposes a rich web UI and REST API for search, alerting, anomaly detection, compliance, and more.

🗄️

ClickHouse Storage

MergeTree-based columnar storage. Sustains millions of flows per second with sub-second query latency on billions of rows.

🔍

Flow Search

Full-text and structured search over every flow field. Filter by protocol, IP, port, country, ASN, process, label, and more.

🔔

Alerting

Rule-based alerts with conditions on any flow field. Deliver to email, Slack, PagerDuty, or any webhook.

🧠

AI Copilot

Natural-language interface over your flow data, powered by Claude. Ask questions, get SQL, get answers — in plain English.

📊

Custom Dashboards

Drag-and-drop widget builder. Stat tiles, time-series charts, pie charts, top-talker tables, alert and anomaly feeds.

🏛️

Compliance Reports

One-click exports for SOC 2, PCI-DSS, ISO 27001, and HIPAA. Covers TLS hygiene, unencrypted traffic, and anomalies.

Deployment

The Hub is distributed as a single Go binary plus a ClickHouse database. The quickstart script handles both:

bash 
curl -sSL https://netscope.io/hub-quickstart.sh | sudo bash
# → installs ClickHouse, downloads hub binary, creates systemd service
# → hub available at http://localhost:8080 within ~60 seconds
ℹ️
Docker Compose A docker-compose.yml is available in the GitHub repository for containerised deployments. It starts both the Hub and ClickHouse with a single docker compose up -d.

Environment Variables

env 
CH_ADDR=localhost:9000
CH_DB=netscope
APP_URL=https://hub.example.com
FRONTEND_URL=https://hub.example.com
SESSION_SECRET=change-me-64-random-chars
LICENSE_KEY=ENT-xxxx-xxxx-xxxx    # omit for Community tier
ANTHROPIC_API_KEY=sk-ant-…  # required for AI Copilot
PRODUCTION=true               # sets Secure cookies

Flows & Analytics

All flows from all agents land in the Hub's flows ClickHouse table. The Flows page provides a real-time view with powerful search and filter controls.

Searching Flows

FilterExampleNotes
src_ip / dst_ip10.0.0.1Exact or CIDR match
protocolTLS, DNS, HTTPCase-insensitive
port443, 8080Matches src or dst port
countryCN, RUISO 3166-1 alpha-2
labelenv=productionAgent label key=value
threathigh, mediumThreat badge filter
bytes>1MBFilter large transfers
time rangeLast 1h / 24h / 7d / customApplied to all queries

Services View

The Services page automatically groups flows by (src_service, dst_service, protocol) and shows a dependency graph. Useful for discovering undocumented service relationships or lateral movement patterns.

Cloud VPC Ingestion

Import VPC Flow Logs from AWS (S3 or CloudWatch Logs), GCP (Cloud Logging), or Azure (Network Watcher) under Cloud Flows. The Hub normalises all formats into the same flow schema for unified analysis.

Security Features

Alerting

Create alert rules under Alerts → Rules. Each rule specifies a condition (e.g. any flow to a HIGH-threat IP in the last 5 minutes), a severity, and one or more notification channels.

Condition TypeExample
ThresholdBytes out > 100 MB in 10 min from single host
Geo-basedAny outbound connection to country CN, RU, KP, IR
Threat badgeAny flow touching a HIGH threat IP
Protocol anomalyDNS query count > 1000/min from single source
New destinationFirst-ever flow to this IP (zero-day baseline)
Port scan>20 distinct dst ports from single src in 60 seconds

Sigma Detection Rules

NetScope Hub implements a Sigma-compatible rule engine (Detection page). Import standard Sigma YAML rules or write custom ones. Rules are evaluated continuously against the incoming flow stream, with matches creating incidents automatically.

yaml — example sigma rule 
title:       Suspicious DNS Tunnelling
id:         netscope-dns-tunnel-001
status:     stable
level:      high
detection:
  selection:
    protocol: DNS
    query_len|gte: 60
    bytes_out|gte: 4096
  condition: selection
falsepositives:
  - AAAA record lookups for long CDN hostnames

Anomaly Detection

The anomaly engine builds a statistical baseline for each (src_ip, dst_ip, protocol) tuple over a rolling 7-day window. Deviations from the baseline — in bytes, flow count, or inter-arrival time — generate anomaly events visible on the Anomalies page. Each anomaly has a severity score and a natural-language description generated by the AI Copilot.

Threats

The Threats page aggregates all flows touching IPs from the threat intelligence feeds, grouped by threat actor and severity. Drill down into any threat entry to see the full timeline of connections, source agents, and associated alert history.

Incidents

Incidents are auto-created from high-severity alert or Sigma rule matches. Each incident gets a unique ID, a severity (P1–P4), and a status (open / in-progress / resolved). Assign incidents to team members, add investigation notes, and close with a resolution summary. Full audit trail is maintained.

Certificates

The Certs page shows every TLS certificate seen in flows, with expiry date, issuer, SANs, and the set of hosts that presented it. Expired or soon-to-expire certificates are highlighted. Certificate changes (e.g. unexpected issuer rotation) can trigger alerts.

Policies

Define network policies — permitted and denied communication paths — under the Policies page. NetScope automatically flags policy violations as they occur in the flow stream.

AI Copilot

The AI Copilot is a natural-language interface to your flow data, powered by Anthropic's Claude. Click AI Copilot in the sidebar to open the chat panel.

You can ask…What happens
"Show me all DNS queries to .ru domains in the last hour"Copilot writes a ClickHouse SQL query, executes it, and returns a formatted table
"Which host sent the most bytes yesterday?"Aggregation query over the flows table, result returned as a ranked list
"Explain this anomaly"Copilot pulls the anomaly context and provides a plain-English explanation with recommended next steps
"Is this IP suspicious?"Looks up threat intel, GeoIP, and recent flow history for the IP
"Write a Sigma rule for port scan detection"Generates a valid Sigma YAML rule you can paste into the Detection page
⚠️
API Key Required Set ANTHROPIC_API_KEY in the Hub environment to enable Copilot. All queries are executed against your own ClickHouse instance — flow data never leaves your infrastructure.

The Copilot enforces a row-limit cap on all generated SQL (default 1,000 rows) to prevent accidental full-table scans. Administrators can raise this limit per-user from Settings.

Custom Dashboards

Build any view you need from the My Dashboards page. Each dashboard is a collection of widgets arranged on a 12-column grid.

Available Widgets

WidgetDescriptionConfig
Stat Single big-number KPI with trend indicator Metric: total flows, active agents, bytes (24h), anomaly count, alert count
Time Series Line chart of flow volume or bytes over time Window: 1h / 6h / 24h
Protocol Pie Donut chart of top protocols by flow count
Top Talkers Ranked list of busiest source IPs Window, rank by flows or bytes, top N (5/10/20)
Alert Feed Live feed of recent alert events Max rows (5/8/15)
Anomaly Feed Live feed of recent anomaly events Max rows, severity filter (all/high/medium+/low+)

Widget Sizes

Each widget can be resized independently to Small (⅓ width), Medium (½ width), or Full Width using the resize controls that appear on hover in edit mode. Use the arrow buttons to reorder widgets within the grid.

Enterprise Features

The following features require an Enterprise license (LICENSE_KEY environment variable):

FeatureDescription
SSO / SAML ENT SAML 2.0 and OIDC identity provider integration. Supports Okta, Azure AD, Google Workspace, and any standards-compliant IdP.
Teams & RBAC ENT Organise users into teams. Assign dashboard, alert, and data access permissions per team.
Compliance Reports ENT Automated PDF/CSV reports for SOC 2, PCI-DSS, ISO 27001, HIPAA. Schedule weekly delivery to stakeholders.
Integrations ENT Pre-built integrations for Splunk, Elastic SIEM, Datadog, PagerDuty, and custom webhook targets for alert and anomaly events.
External Storage ENT Route ClickHouse cold data to S3-compatible object storage for long-term retention beyond 90 days.
Audit Log ENT Immutable audit trail of all user actions — login events, configuration changes, data exports, and API key usage.

API Reference

The Hub exposes a REST API at /api/v1/. All endpoints require a bearer token via the Authorization header.

bash 
curl -H "Authorization: Bearer nst_xxx" \
     https://hub.example.com/api/v1/flows?limit=50&protocol=TLS
EndpointMethodDescription
/api/v1/flowsGETQuery flows with filter params
/api/v1/flows/ingestPOSTBulk ingest flows (agent use)
/api/v1/statsGETAggregate stats (counts, bytes)
/api/v1/timeseriesGETTime-bucketed flow/byte counts
/api/v1/alertsGETList alert events
/api/v1/alerts/rulesGET POSTManage alert rules
/api/v1/anomaliesGETList anomaly events
/api/v1/agentsGETList registered agents
/api/v1/agents/installGETGenerates install script for agent
/api/v1/dashboardsGET POSTList / create dashboards
/api/v1/dashboards/:idGET PUT DELETEGet / update / delete dashboard
/api/v1/sigmaGET POSTManage Sigma detection rules
/api/v1/incidentsGET POSTList / create incidents
/api/v1/copilotPOSTAI Copilot chat (SSE streaming)
💡
Token Management Generate and revoke API tokens from Settings → Tokens & Audit. Tokens are scoped — create read-only tokens for dashboards or SIEM integrations and admin tokens for automation.