network tools

i wanted to understand what was actually happening on a network. so i built the tools to look at it.

the itch

Two problems at work pushed me here. A vendor changed network configs and crashes started happening around the same time. I needed to see the traffic to prove the connection. Separately, we inherited hardware and software from a vendor going bankrupt. No licence, no support, no docs. I had questions basic enough that I felt they deserved answers anyway. At one point I was ready to sniff the wire, reverse the protocol, and write a partial open implementation.

Wireshark could have done most of it. But ngrep hasn't been updated since the 90s and can't handle TLS. Wireshark needs a display server you don't have over SSH. tshark gives you everything but buries it in noise. I kept wanting tools that didn't quite exist, so I started building them.

netgrep

capture + search

grep for the network. TCP stream reassembly, TLS 1.2/1.3 decryption, HTTP/2 and DNS parsing.

Stream reassembly before matching
Decrypt TLS with SSLKEYLOGFILE
HTTP/1.1, HTTP/2, DNS modes
Interactive ratatui TUI

rustlibpcap

source

→

wiregraph

visualize

real-time dashboard. topology map, protocol breakdown, packet inspection, conversation analysis.

Live capture or pcap replay
Click-to-filter across all panels
Stacked per-protocol timeline
Rolling window, runs forever

rustvanilla js

live demo · source

→

termshark

analyze

wireshark for the terminal. three-pane layout, display filters, hex dump. no GUI required.

Full Wireshark filter syntax
Packet list + protocol tree + hex
TCP/UDP stream reassembly
Capture live or read pcap

gotshark

source

netgrep

the capture engine

ngrep hasn't changed since the 90s. netgrep is what it would look like if it had.

        # decrypt TLS and grep the plaintext

        SSLKEYLOGFILE=keys.log sudo netgrep --keylog keys.log "session_token"

        # HTTP-aware mode — match against headers and bodies

        sudo netgrep --http "Authorization"

        # DNS-aware mode — match against domains

        sudo netgrep -F "udp port 53" --dns "suspicious-domain"

        # interactive terminal UI

        sudo netgrep --tui

stream reassembly

TCP streams are reassembled bidirectionally before matching. You match against complete application-layer payloads, not raw packets. This is the killer feature.

TLS decryption

TLS 1.2 and 1.3 via SSLKEYLOGFILE. AES-128-GCM, AES-256-GCM, ChaCha20-Poly1305. ECDHE-ECDSA, ECDHE-RSA, RSA key exchange. In 2025, if you can't read TLS you can't read traffic.

protocol modes

--http parses HTTP/1.1 and HTTP/2 (auto-detected via connection preface). --dns parses queries and responses. Match against headers, domains, record data.

ngrep-compatible

The flags you know: -i, -v, -x, -q, -n, -d, -I, -F. Drop-in replacement for scripts that already use ngrep, with all the new capabilities available when you need them.

wiregraph

the visualization layer

netgrep finds packets. wiregraph shows you the shape of the traffic. see it live.

top talkers + matrix

Hosts ranked by volume. NxN connection matrix colored by protocol and intensity. Click any host to filter all panels to its traffic. Click a matrix cell to see the full A↔B conversation.

protocol toggles + search

Click a protocol bar to isolate it everywhere. Search by IP, CIDR subnet, or port. Everything filters live — host table, matrix, timeline, packet drawer.

stacked timeline

Per-protocol bytes/sec as a stacked area chart. Responds to filters. Click a host and the timeline shows just that host's traffic composition changing over time.

zero-dependency frontend

Single Rust binary. The entire frontend is an embedded HTML string — no build step, no node_modules, no framework. Vanilla JS + canvas. Polls a JSON API once per second. Rolling window retention so it runs indefinitely without growing memory.

termshark

the analysis interface

When you're SSH'd into production and need Wireshark but don't have X11.

        # live capture with a display filter

        sudo termshark -i eth0 -Y "http.request"

        # read a pcap and filter to a conversation

        termshark -r capture.pcap -Y "ip.addr == 10.0.0.1 && tcp.port == 443"

wireshark display filters

Full Wireshark filter syntax via tshark. The same expressions you'd type in Wireshark work here. No new DSL to learn.

three-pane layout

Packet list, protocol detail tree, hex dump. Navigate with keyboard. Expand/collapse protocol layers. The same mental model as Wireshark, adapted for the terminal.

why build all three

netgrep and wiregraph share the same Rust library for packet parsing, protocol classification, and pcap I/O. The protocol labels in wiregraph's dashboard are the same classifiers netgrep uses for filtering. A pcap exported from wiregraph can be loaded into termshark for deep analysis. The tools compose.

I just really like looking at network traffic.

rust go libpcap etherparse ratatui tshark serde canvas vanilla js