Stop Juggling 5 Tools! NetWatch Replaces Your Entire Network Stack
You're mid-deploy. Production is flickering. Your terminal has six panes open—iftop screaming about bandwidth, ss dumping connections you can't read, ping hammering your gateway in another window, and somewhere, a forgotten tcpdump process is filling your disk with garbage youll never analyze. You need the full picture now, not after youve stitched together five different outputs like some digital Frankenstein.
What if one command could replace that entire chaos?
Enter NetWatch—the Rust-powered terminal UI that turns network diagnostics from a multi-tool nightmare into a single, breathtaking interface. No configuration files. No setup rituals. No sudo required for basic visibility. Just type netwatch and watch your network expose every secret it's been hiding.
This isn't another niche utility. This is what happens when someone builds the tool they actually needed after years of suffering through fragmented network debugging. And it's about to become the only network tool you install on every machine you touch.
What is NetWatch?
NetWatch is a real-time network diagnostics TUI built in Rust by developer Matt Hart. Born from the frustration of context-switching between half a dozen network tools, it delivers what its GitHub description promises with surgical precision: "Real-time network diagnostics in your terminal. One command, zero config, instant visibility."
The project lives at https://github.com/matthart1983/netwatch and has already earned recognition as Terminal Trove's Tool of the Week—no small feat in a landscape crowded with terminal utilities. Available via Homebrew, Cargo, and pre-built binaries for macOS and Linux (both x86_64 and aarch64, including static builds for Alpine and Arch), NetWatch prioritizes accessibility without sacrificing depth.
What makes NetWatch genuinely different? Philosophical coherence. Most tools force a choice: observe traffic patterns OR inspect packets. NetWatch collapses that false dichotomy. The same interface that shows you a 10,000-foot dashboard of interface health and top connections will, with a single keystroke, drop you into Wireshark-grade packet analysis with deep protocol decoding. No context switch. No mental model reset. Just seamless zoom from macro to micro and back.
The Rust foundation matters here. Not for trendy language points, but for zero-cost abstractions that let NetWatch parse packets, maintain connection state, render sparklines, and probe health—all at 60fps in a terminal—without the memory bloat that would make this impossible in Python or Node. When you're capturing live traffic on a busy interface, every allocation counts.
Key Features That Make NetWatch Irreplaceable
NetWatch isn't a thin wrapper around existing tools. It's a complete reconception of what network diagnostics should feel like in 2024.
The Dashboard delivers instant situational awareness: every network interface with live RX/TX sparklines, aggregate bandwidth graph, top connections by volume, gateway and DNS health probes with color-coded latency heatmaps. You know if your network is healthy in five seconds of glancing—not five minutes of parsing.
Connections tab reveals every open socket with process name and PID attribution (via eBPF on modern Linux, falling back gracefully to ss/lsof polling). You see protocol, state, remote address, GeoIP location, and per-connection latency sparklines. Sort by any column, filter dynamically, jump straight to packet view for any connection.
Packet Capture is where NetWatch exposes its engineering depth. Live capture with protocol decoding for DNS (queries, types, response codes), TLS (version, SNI extraction), HTTP (method, path, status), ICMP, ARP, DHCP, NTP, mDNS, and 25+ service labels. TCP stream reassembly. Handshake timing analysis. Display filters using Wireshark-style syntax. BPF capture filters. Bookmarks. And one-keypress PCAP export for offline Wireshark analysis when you need it.
Flight Recorder solves the cruelest network debugging problem: transient failures that vanish before you can investigate. Arm a rolling 5-minute capture window with Shift+R. When something breaks, Shift+F freezes the incident window. Shift+E exports a complete bundle: human-readable summary.md, structured JSON for connections/health/bandwidth/DNS/alerts, manifest metadata, and packets.pcap when capture data exists.
Topology renders an ASCII network map showing your machine, gateway, DNS servers, and top remote hosts with connection counts and health indicators—plus built-in traceroute from any selected host. Timeline provides Gantt-style connection visualization. AI Insights (opt-in, local Ollama or cloud) analyzes your network snapshot every 15 seconds for anomalies, beaconing patterns, and suspicious DNS.
Real-World Use Cases Where NetWatch Dominates
The 3 AM Production Incident
Your alerts fire. Latency spike. You SSH in, type netwatch, and immediately see which interface is saturated, which process owns the connection flood, and whether your gateway is responding. No apt install anything. No remembering if this machine has iftop or nethogs. Just instant operational clarity when your brain is least capable of complex tool orchestration.
The Microservice Mystery
Container A can't reach Container B. Is it DNS? Network policy? The application? NetWatch's DNS decoding shows you the exact query and response code. The connections tab reveals if the TCP handshake completes. The health probes verify gateway reachability. You diagnose in one terminal instead of three tools and a prayer.
The Security Investigation
Something's beaconing. NetWatch's AI Insights flags suspicious patterns. You arm the flight recorder, catch the next communication window, and export a complete evidence bundle with PCAP for your SOC. The process attribution (eBPF when available) tells you which binary owns the connection—critical for containerized environments where lsof returns opaque PIDs.
The Performance Baseline
Before your optimization sprint, run NetWatch to establish normal: protocol distribution, top talkers, connection churn rate, DNS query patterns. After changes, compare. The stats tab's TCP handshake histogram with p95 latency gives you statistically meaningful performance data, not anecdotal curl timings.
The CI/CD Network Verification
Your deployment pipeline spins up ephemeral environments. Install NetWatch (static binary, zero dependencies), verify network connectivity and DNS resolution from the actual runtime context, capture evidence if tests fail. The --generate-config option lets you standardize settings across ephemeral hosts.
Step-by-Step Installation & Setup Guide
NetWatch's installation philosophy matches its runtime philosophy: minimum friction, maximum flexibility.
macOS and Linux (Homebrew)
# Add the tap and install in one command
brew install matthart1983/tap/netwatch
# Verify installation
netwatch --version
Homebrew handles dependencies automatically on macOS. On Linux, ensure libpcap-dev is available if not using the static build.
Rust/Cargo Installation
# Install directly from crates.io
cargo install netwatch-tui
# Or build from source for latest features
git clone https://github.com/matthart1983/netwatch.git && cd netwatch
cargo build --release
Prerequisites for source builds: Rust 1.70+ and libpcap development headers (sudo apt install libpcap-dev on Debian/Ubuntu, included on macOS).
Pre-Built Binaries (All Platforms)
For maximum portability or locked versions, download from GitHub Releases:
| Platform | Download | Use Case |
|---|---|---|
| Linux x86_64 (dynamic) | netwatch-linux-x86_64.tar.gz |
Debian/Ubuntu with standard libpcap |
| Linux aarch64 (dynamic) | netwatch-linux-aarch64.tar.gz |
ARM64 Debian/Ubuntu |
| Linux x86_64 (static) | netwatch-linux-x86_64-static.tar.gz |
Arch, Fedora, Alpine—no runtime deps |
| Linux aarch64 (static) | netwatch-linux-aarch64-static.tar.gz |
ARM64 with bundled libpcap |
| macOS Intel | netwatch-macos-x86_64.tar.gz |
Older Macs |
| macOS Apple Silicon | netwatch-macos-aarch64.tar.gz |
M1/M2/M3 Macs |
The -static builds are critical for Alpine containers or restricted environments where libpcap.so.0.8 won't resolve.
Post-Installation: Running Without sudo (Linux)
Packet capture and eBPF process attribution require capabilities, but full root access is overkill. Grant precise capabilities once:
# Grant network capture and BPF capabilities to the binary
sudo setcap 'cap_net_raw,cap_bpf,cap_perfmon+eip' "$(which netwatch)"
# Run normally—no sudo needed for full features
netwatch
| Capability | What It Unlocks |
|---|---|
cap_net_raw |
Live packet capture via libpcap |
cap_bpf |
Kernel-level process attribution kprobe (kernel ≥ 5.10) |
cap_perfmon |
Reading BPF ring buffer from kprobe |
Without these capabilities, NetWatch degrades gracefully: it falls back to ss/lsof-style polling for process attribution and skips packet capture. The connections tab header shows attribution: ebpf, attribution: pktap, or attribution: lsof — ebpf unavailable: ... so you always know which data source is active.
First Launch
# Basic mode: interface stats, connections, configuration
netwatch
# Full mode: adds health probes (ICMP) and packet capture
sudo netwatch
# Generate persistent configuration
netwatch --generate-config
REAL Code Examples from NetWatch
Let's examine actual patterns from the NetWatch repository and documentation, with detailed explanations of what makes them powerful.
Example 1: Capability-Based Permission Elevation
# Grant precise capabilities without full sudo
sudo setcap 'cap_net_raw,cap_bpf,cap_perfmon+eip' "$(which netwatch)"
# Subsequent runs need no elevation—security win
netwatch
This pattern is security-critical for production environments. Traditional packet capture tools require root or sudo, violating principle of least privilege. NetWatch's capability-based approach grants only the specific kernel permissions needed: cap_net_raw for raw socket access, cap_bpf for loading the eBPF kprobe that maps packets to processes, and cap_perfmon for reading the BPF ring buffer. The +eip suffix sets effective, inherited, and permitted sets, ensuring the binary retains these capabilities across exec calls. After this one-time setup, your monitoring runs under your normal user—if NetWatch is compromised, the attacker gains network visibility, not full root access.
Example 2: Flight Recorder Incident Capture
# Interactive keystrokes in the TUI
Shift+R # Arm rolling 5-minute recorder
Shift+F # Freeze current incident window
Shift+E # Export incident bundle to ~/netwatch_incident_YYYYMMDD_HHMMSS/
The flight recorder solves a fundamental observability problem: you can't debug what you didn't capture. Traditional packet capture (tcpdump -w file.pcap) fills disks and requires foresight. NetWatch's bounded rolling buffer keeps only the last 5 minutes, automatically discarding older data. When you detect an anomaly—manually or via alert—freeze preserves that window. Export generates a complete forensic package:
netwatch_incident_20260403_103501/
summary.md # Human-readable incident narrative
manifest.json # Metadata and version info
connections.json # Full connection state at freeze
health.json # Gateway/DNS probe history
bandwidth.json # Per-interface throughput samples
dns.json # DNS query/response analytics
alerts.json # Triggered alert history
packets.pcap # Raw packets (when capture was active)
This structure transforms incident response from chaotic log grepping into reproducible analysis. The summary.md gives context to anyone reviewing later; the JSON files enable programmatic correlation; the PCAP integrates with existing Wireshark workflows.
Example 3: Display Filter Syntax
# Wireshark-style filters in the Packets tab
tcp # Protocol match
192.168.1.42 # IP address (src or dst)
ip.src == 10.0.0.1 # Directional filter
port 443 # Port number
stream 7 # TCP stream index
contains "hello" # Payload text search
tcp and port 443 # Boolean combinators
!dns # Negation
google # Bare word → contains "google"
NetWatch's filter parser implements Wireshark-compatible syntax—not similar, actually compatible. This matters because network engineers have years of muscle memory with these expressions. The bare word fallback (google → contains "google") reduces friction for quick searches. The stream keyword enables TCP stream isolation for reassembly analysis. Boolean combinators and negation let you construct complex expressions like tcp and port 443 and !ip.dst == 10.0.0.0/8 to isolate external HTTPS traffic. This isn't cosmetic convenience; it's cognitive load reduction during high-pressure debugging.
Example 4: Configuration Generation
# Generate starter configuration file
netwatch --generate-config
This writes a starter config to your platform's configuration directory (typically ~/.config/netwatch/ on Linux, ~/Library/Application Support/netwatch/ on macOS). The generated file includes all tunable parameters: theme selection, default tab, refresh rate, capture interface preference, GeoIP database paths, packet-follow behavior, BPF capture filter, AI Insights endpoint, and alert thresholds. You can also modify these live with the , settings overlay and persist with S. This dual approach—declarative config files for repeatability, interactive settings for experimentation—caters to both automation pipelines and interactive exploration.
Advanced Usage & Best Practices
Master the capability model. On Linux, invest the 30 seconds to setcap your binary. The security posture improvement is substantial, and the eBPF process attribution is dramatically more accurate than lsof polling—especially for short-lived connections in containerized workloads.
Arm the flight recorder before incidents. Don't wait for problems. Shift+R at the start of any potentially risky operation: deployments, migrations, configuration changes. The rolling buffer costs minimal memory; the forensic value when something fails is immeasurable.
Combine display and capture filters. Use BPF filters (b key) to reduce capture volume at the kernel level—critical for high-throughput interfaces. Use display filters (/ key) for post-capture analysis without re-capturing. This two-stage filtering lets you capture broadly then drill precisely.
Leverage stream reassembly. In the Packets tab, s enters stream view. Use →/← to filter direction, a for both directions, h to toggle hex/text. This is where you reconstruct HTTP conversations or extract TLS SNI from handshakes without exporting to Wireshark.
Theme for your environment. The t key cycles Dark (default), Light, Solarized, Dracula, and Nord. In brightly-lit datacenters or projected screens, Light or Solarized improve visibility. Persist your preference via Settings (S).
Integrate AI Insights cautiously. The Ollama integration (local default, cloud optional) provides genuine value for pattern recognition, but network data may be sensitive. The local-first default respects privacy; evaluate cloud endpoints against your compliance requirements.
Comparison with Alternatives
| Feature | NetWatch | Wireshark/tshark | iftop | bandwhich | nethogs |
|---|---|---|---|---|---|
| Terminal UI | ✅ Native | ❌ GUI only / CLI | ✅ | ✅ | ✅ |
| Zero config startup | ✅ | ❌ (profiles, interfaces) | ✅ | ✅ | ✅ |
| Live packet decode | ✅ | ✅ | ❌ | ❌ | ❌ |
| Process attribution | ✅ (eBPF/lsof) |
❌ (without extra tools) | ❌ | ✅ | ✅ |
| Connection sparklines | ✅ | ❌ | ❌ | ❌ | ❌ |
| Health probes (ICMP) | ✅ | ❌ | ❌ | ❌ | ❌ |
| Network topology map | ✅ | ❌ | ❌ | ❌ | ❌ |
| Flight recorder / incident export | ✅ | ❌ (manual capture) | ❌ | ❌ | ❌ |
| AI-powered anomaly detection | ✅ (opt-in) | ❌ | ❌ | ❌ | ❌ |
| Cross-platform (macOS/Linux) | ✅ | ✅ | Linux only | ✅ | Linux only |
| Static binary availability | ✅ | ❌ | ❌ | ❌ | ❌ |
The verdict: Wireshark remains unbeatable for deep packet analysis with its 2000+ protocol dissectors and cryptographic analysis. But for operational network diagnostics—the daily work of understanding what's happening right now, why it's slow, and which process is responsible—NetWatch eliminates the tool-switching tax. It's not a Wireshark replacement; it's a Wireshark complement that handles 90% of diagnostic needs without leaving your terminal.
FAQ
Is NetWatch free and open source? Yes. MIT licensed. The core TUI is fully open source at https://github.com/matthart1983/netwatch. A separate hosted service (NetWatch Cloud) exists for fleet monitoring, but the TUI is intentionally independent.
Does NetWatch work on Windows?
Currently macOS and Linux only. The platform badges explicitly show macOS | Linux. Windows support would require substantial platform abstraction for the network collectors.
Can I run NetWatch in a container or CI pipeline?
Absolutely. The static Linux builds have zero runtime dependencies. Use the -static variant for Alpine-based containers. Capabilities setup (setcap) won't persist across image builds, so use sudo or run with --cap-add=NET_RAW in Docker.
How does NetWatch compare to tcpdump for packet capture?
NetWatch uses libpcap under the hood (same as tcpdump), so capture fidelity is identical. The difference is immediate usability: live protocol decoding, display filters, stream reassembly, and one-key export to .pcap for tcpdump/Wireshark when you need deeper analysis.
Is the AI Insights feature sending my network data to the cloud? Off by default. When enabled, it defaults to local Ollama with no external communication. You can configure a remote Ollama host or cloud endpoint, but this is explicit opt-in. No API keys are embedded in NetWatch.
Why Rust? Performance and safety. Parsing packets at line rate, maintaining connection state for thousands of flows, and rendering a 60fps TUI simultaneously requires zero-cost abstractions and predictable memory usage. Rust's ownership model eliminates entire classes of crashes that would be catastrophic in a long-running monitoring tool.
How do I contribute or report issues? See CONTRIBUTING.md in the repository. The project welcomes contributions and maintains a WIKI.md with architecture guidance.
Conclusion
NetWatch represents a generational shift in network tooling—not because it invents new capabilities, but because it integrates existing ones with ruthless coherence. The Rust foundation enables performance that makes this integration possible. The zero-config philosophy removes adoption friction. The flight recorder solves the observability problem that keeps engineers awake at night: catching transient failures before they evaporate.
After years of terminal multitool chaos, NetWatch feels like arriving at a destination you didn't know existed. One command. Instant visibility. From dashboard to packet bytes without switching contexts.
Install it now: brew install matthart1983/tap/netwatch or cargo install netwatch-tui. Arm the flight recorder on your next deployment. Experience what network diagnostics should have been all along.
Get NetWatch today: https://github.com/matthart1983/netwatch