v0.5  ·  Open Source  ·  MIT License

See everything
on your network.

NetScope captures, decodes, and visualises network traffic across your entire fleet — from a single laptop to hundreds of production servers.

Deploy the hub → View on GitHub
$ curl -sSL https://netscope.ie/hub-quickstart.sh | sh
NetScope Hub · Flows Live
Total flows
33,820
Flows / min
590
Active agents
5
Top protocol
DNS
Time Proto Source Destination Process Duration
20:09:56.421 DNS 172.20.10.8:53201 8.8.8.8:53 chrome 0.8ms
20:09:56.198 TLS 172.20.10.8:52901 142.250.80.46:443 slack 12.3ms
20:09:55.991 HTTP 172.20.10.8:51204 192.168.1.1:80 curl 1.2ms
20:09:55.855 ICMP 172.20.10.8 1.1.1.1 ping 200.1ms
20:09:55.612 DNS 172.20.10.8:53198 1.1.1.1:53 node 1.4ms
20:09:55.301 TLS 172.20.10.8:52899 35.186.224.47:443 docker 34.7ms
<1ms
Packet to dashboard latency
12+
Decoded protocols
3
Platforms — macOS, Linux, Windows
MIT
Open source forever
Getting started

Up and running
in two minutes.

No Kubernetes. No YAML files to write. One command starts the full stack.

01

Deploy the hub

One curl command starts ClickHouse, Kafka, the API, and the dashboard in Docker. A random API key is generated automatically.

$ curl -sSL https://netscope.ie/hub-quickstart.sh | sh
02

Enrol an agent

Create an enrollment token in the dashboard. Run the generated install command on any target machine — Linux, macOS, or Windows.

$ curl -sSL "https://hub/install?token=…" | INTERFACE=eth0 sh
03

Explore & investigate

Flows appear within seconds. Search by IP, protocol, or process name. Set alert rules, write Sigma detections, and export to SIEM.

Dashboard at http://localhost — open in browser
Platform

Three tools.
One platform.

Every component works standalone. Together they give you complete, fleet-wide observability.

Desktop App

A native visual explorer for macOS and Windows. Browse live traffic, filter by protocol, view connection graphs, and export captures — no terminal required. Built with Tauri and React.

macOS Windows Tauri

Capture Agent

A lightweight sensor written in Rust. Runs in pcap mode on any platform, or eBPF mode on Linux for process attribution and TLS plaintext capture. Sends flow telemetry to the hub with zero local storage.

Linux macOS Windows eBPF

SaaS Hub

A self-hosted dashboard that aggregates flows from your entire fleet. Search across agents, configure alerts, write Sigma detection rules, and manage API tokens — all from one place.

Self-hosted Docker ClickHouse
Capabilities

Everything you need to understand your traffic.

From raw packets to actionable security intelligence.

Real-time capture

Sub-millisecond latency from packet to dashboard. pcap on all platforms, eBPF on Linux for kernel-level visibility without copying to userspace.

Deep protocol decode

HTTP hostnames, DNS query names, TLS cipher suites, gRPC method names, ICMP types. See the conversation, not just the IP header.

Process attribution

eBPF mode maps every connection to the process, PID, binary path, and user that owns it. Know which application is phoning home.

GeoIP & threat intel

Automatic geolocation enriches every flow. AbuseIPDB lookups flag known malicious IPs inline — before they escalate to an incident.

Sigma detection rules

Write detections in standard Sigma format. Get real-time alerts on lateral movement, suspicious DNS, beaconing patterns, and known-bad IPs.

Fleet management

Enroll agents with a single command, monitor heartbeats, push config remotely, and manage API tokens — all from the hub dashboard.

Under the hood

Powerful CLI,
clean dashboard.

Use the agent directly from the terminal during incident response, or let the hub aggregate everything automatically.

Capture on any interface

Point the agent at any network interface. Works with physical NICs, virtual bridges, and container network namespaces.

Structured output, queryable with SQL

All flows land in ClickHouse. Run ad-hoc SQL queries, export CSVs, or hook up Grafana for long-term trending.

Automatic enrichment

Hostname resolution, geolocation, ASN lookups, and threat intel happen server-side — the agent stays lean.

zsh — netscope-agent
# Install and enrol the agent
$ curl -sSL "http://localhost/install?token=abc123" | INTERFACE=eth0 sh
✓ Agent installed to /usr/local/bin/netscope-agent
✓ Enrolled with hub — agent_id: 4f8a2c1e
✓ Heartbeat registered
→ Capturing on eth0 (pcap mode)...

# Now visible in dashboard — live flows rolling in
$ netscope-agent status
agent_id 4f8a2c1e-...
hub_url http://localhost:8080
interface eth0
capture_mode pcap
flows_sent 33,820
heartbeat 2s ago

# Switch to eBPF for process attribution (Linux)
$ sudo netscope-agent-ebpf --hub-url http://localhost:8080 --api-key …
✓ eBPF probe loaded
→ Capturing with process attribution...
DNS chrome → 8.8.8.8:53 api.example.com 0.8ms
TLS node → 104.18.3.12:443 registry.npmjs.org 12ms
HTTP curl → 192.168.1.1:80 ⚠ unencrypted
Pricing

Start free.
Scale as you grow.

Every plan includes the desktop app, capture agent, and self-hosted hub. No vendor lock-in, ever.

Community
Free
forever · open source · MIT
  • Up to 10 agents
  • HTTP · DNS · TLS · ICMP · eBPF
  • Desktop app (macOS + Windows)
  • Self-hosted hub (Docker)
  • Email / password login
  • Community support (GitHub)
Get started →
Team Most popular
$149
per month · billed annually
  • Up to 50 agents
  • Everything in Community
  • SSO — SAML & OIDC
  • SCIM directory provisioning
  • Slack & PagerDuty alerts
  • 90-day flow retention
  • Priority email support
Contact sales →
Enterprise
Custom
volume pricing · on-prem · SLAs
  • Unlimited agents
  • Everything in Team
  • Custom RBAC roles
  • PII redaction & data masking
  • OpenTelemetry & SIEM export
  • SOC 2 / ISO 27001 docs
  • Dedicated support & SLAs
Talk to us →

Ready to see
your network?

Deploy the hub in two minutes. No credit card, no sign-up, no telemetry.

Deploy free → Read the docs