Real-time packet capture with deep protocol inspection, GeoIP & threat intelligence, and a SaaS hub for fleet-wide visibility — all in one platform built with Rust, Go, and React.
NetScope ships as three complementary pieces that work standalone or together as a unified observability stack.
Wireshark-inspired 3-pane UI for macOS, Windows, and Linux. Live capture, GeoIP flags, threat badges, certificate audit, HTTP analytics, and a service dependency map — all without leaving the app.
Headless netscope-agent for servers, containers, and CI environments. eBPF-powered capture on Linux requires no root at runtime. Streams flows to the hub or saves to JSONL.
Multi-tenant Go API with Kafka ingestion and ClickHouse analytics. Real-time SSE streaming, RBAC, alerting with webhook & SMTP delivery, compliance reports, and a Next.js dashboard.
From kernel-level capture to fleet-wide dashboards — every layer of the stack is covered.
Handles 100,000+ rows without jank using TanStack Virtual. Two-line rows show IP plus GeoIP / ASN sub-line. Auto-scrolls during live capture.
MaxMind GeoLite2-City + ASN databases auto-loaded from ~/.netscope/. Country flag emoji and ASN on every row. Offline — no API calls, no rate limits.
Offline CIDR blocklist covering Tor exits, C2 infrastructure, and port heuristics. Color-coded HIGH / MED / LOW badges with full reason breakdown in the detail pane.
SVG force-directed graph of all IP-to-IP connections. Nodes sized by flow count, edges colored by protocol. Pan, zoom, hover tooltips with geo & ASN data.
Per-endpoint p50 / p95 / p99 latency bars, error rates, and request counts. Updates live during capture. Sort by latency or error rate to pinpoint slow endpoints.
Sidebar aggregates every TLS cert seen in the session sorted by severity: expired → critical (<7d) → warning (<30d) → valid. Red badge count on toolbar.
Query historical fleet-wide flows from a running hub directly inside the desktop UI. Hub flows merge with local capture, tagged with a blue badge.
Save and load .nscope sessions (SQLite). Sessions survive restart and are forward-compatible — new fields default gracefully when loading older files.
Protocol shortcuts (http, dns, tls, errors, threats, hub) plus free-text IP/port/keyword search apply instantly. BPF expressions pre-filter at the kernel level.
Kernel-side eBPF program for high-throughput capture without root at runtime. Complements the libpcap path and scales to cloud-native environments.
Out-of-order segment buffering, retransmission counting, stream fragmentation handling. SYN/FIN/RST state machine per connection keyed by 4-tuple.
Full request/response pairing via httparse. Extracts method, path, host, status, all headers, body preview (512 bytes), and per-request latency.
Binary frame walker with HPACK header decompression. Stream ID pairing, per-stream latency measurement. gRPC service/method extraction from :path and grpc-status.
ClientHello SNI + cipher suites, ServerHello negotiated version, Certificate CN/SANs/expiry, Alert decoding. Detects weak ciphers (RC4, 3DES, NULL, EXPORT).
Query/response pairing from DNS wire format. Supports A, AAAA, CNAME, MX, TXT, PTR record types. Extracts RCODE and TTLs from every answer section.
Echo request/reply with RTT measurement. ARP who-has/is-at with sender and target IP/MAC pairs. Human-readable type/code strings for all ICMP messages.
Pre-filter packets at the kernel level using standard BPF expressions: tcp port 443, host 8.8.8.8, not arp — dramatically reduces CPU overhead at high traffic rates.
Agents POST batches via /api/v1/ingest. Kafka path for high-throughput with direct ClickHouse write as fallback. Async batch writer keeps latency low.
GET /api/v1/flows/stream fans out to all connected dashboard clients instantly. Rate-limited per-client to prevent runaway subscribers from overwhelming the server.
Time-series flow counts, per-endpoint p50/p95/p99 latency, DNS NXDOMAIN rates. Per-minute timeseries with 1h/6h/24h ranges rendered with Recharts in the dashboard.
Configurable threshold rules: flows/min, HTTP error rate, DNS NXDOMAIN rate, anomaly σ. Webhook + SMTP delivery with exponential back-off retry (1s → 5s → 30s).
One-click PCI-DSS, HIPAA, and CIS benchmark report generation from ClickHouse data. Schedule and export to share with auditors and security teams.
Admin/viewer roles on API tokens. RequireAdmin middleware gates all write endpoints. Enrolled agents receive a unique viewer-scoped token — never the global admin key.
Every authenticated API call recorded to audit_events: token ID, role, method, path, status, latency, and client IP. Queryable via GET /api/v1/audit with 90-day TTL.
Helm chart and manifests for deploying hub + ClickHouse + Kafka in-cluster. OpenTelemetry export to any OTLP-compatible backend. CI/CD matrix builds all platforms.
Server-side Next.js proxy injects HUB_API_KEY from server-only env vars. API keys never reach the browser bundle. SSE stream URL has no api_key= query parameter.
Webhook URLs are validated against all RFC 1918 private ranges, loopback, link-local, carrier-NAT, and IPv6 private ranges — at create, update, AND fire time (DNS rebinding defence).
Every webhook delivery includes X-NetScope-Signature: sha256=<hmac> computed with a per-rule secret. Verify payloads are authentic before processing in your receiver.
X-Content-Type-Options, X-Frame-Options: DENY, X-XSS-Protection, Referrer-Policy, and Permissions-Policy on every API response. Tauri CSP restricted to a minimal allowlist.
Startup fails loudly if PRODUCTION=true and default ClickHouse credentials are in use. CORS wildcard is refused in production mode. METRICS_TOKEN protects Prometheus scraping.
All ClickHouse queries use parameterised placeholders — no string interpolation. Error messages are sanitised before reaching HTTP responses to prevent information leakage.
The CLI agent works out of the box. Point it at an interface and start seeing traffic.
Every protocol is decoded to its semantic layer — not just packets.
From kernel-level eBPF capture to ClickHouse analytics — a coherent data path from bytes to insight.
10 phases shipped. More depth and integrations on the way.
One command to spin up the hub. One command to connect an agent. That's it.
One command pulls pre-built Docker images for ClickHouse, Kafka, the Go API, and the Next.js dashboard — and starts everything. Only Docker required.
curl -sSL https://netscope.ie/hub-quickstart.sh | sh
http://localhost — connect agents and see flows instantly.DOMAIN=hub.example.com before the command — Caddy handles the Let's Encrypt cert automatically.
From raw packets to fleet-wide compliance — everything in one place.
| Time | Source | Destination | Proto | Length | Info |
|---|---|---|---|---|---|
| 14:23:01.442 | 192.168.1.42:52341 | 93.184.216.34:80 | HTTP | 1,240 B | GET /index.html → 200 OK (42ms) |
| 14:23:01.651 | 192.168.1.42:54102 | 8.8.8.8:53 | DNS | 68 B | A example.com → 93.184.216.34 |
| 14:23:02.003 | 192.168.1.42:55210 | 142.250.185.46:443 | TLS | 5,840 B | TLS 1.3 · SNI: google.com · AES-256-GCM |
| 14:23:02.119 | 10.0.0.1:443 | 192.168.1.42:55214 | TCP | 3,200 B | PSH·ACK seq=1 ack=1 retx=2 |
| 14:23:02.445 | 192.168.1.42:0 | 8.8.8.8:0 | ICMP | 84 B | Echo Request id=3021 seq=1 · RTT 12ms |
| 14:23:02.881 | 192.168.1.100:8080 | 192.168.1.42:48023 | HTTP | 428 B | POST /api/login → 401 Unauthorized (8ms) ⚠ |
Live packet capture with deep protocol decoding — HTTP, TLS, DNS, TCP, ICMP, ARP, HTTP/2 & gRPC
| 14:23:01 | prod-web-01 | 10.0.0.42 → 93.184.216.34 | HTTP | GET / 200 |
| 14:23:02 | prod-api-02 | 10.0.0.15 → 8.8.8.8 | DNS | api.stripe.com |
| 14:23:02 | prod-web-01 | 10.0.0.42 → 185.86.0.1 | TLS | ⚠ expiring in 4d |
Centralised fleet dashboard — real-time SSE stream, 90-day ClickHouse retention, multi-agent overview
| Time | Rule | Metric | Value | Delivered |
|---|---|---|---|---|
| 14:20:00 | High flow rate | flows_per_minute | 547.2 | ✓ Slack |
| 13:45:10 | HTTP error spike | http_error_rate | 23.4% | ✓ PagerDuty |
Rule-based alerting with Slack, PagerDuty, OpsGenie, Teams, email, and generic webhooks — HMAC-signed
Pre-built binaries for every major platform. No account. No subscription.
netscope-agent binary ships in the same release and is ideal for servers, containers, and CI environments.
Run cargo build --release in agent/ or grab the binary from the Releases page.
xattr -cr /Applications/NetScope.app in Terminal.
On Windows, install Npcap first and run as Administrator for packet capture.
No bloat. Every dependency earns its place.
Download the desktop app, deploy the CLI agent, or self-host the hub. MIT licensed. No telemetry. No lock-in.