Live network packet sniffer with a browser-based dashboard.
Captures packets off your network interface using Scapy, parses them in real time, and streams the results to a dark-themed dashboard in your browser — protocol breakdown, top attacking IPs, packets-per-second timeline, and a live-scrolling packet table with colour-coded severity.
sudo netspy → http://127.0.0.1:5000
![NetSpy dashboard showing live packet capture with protocol donut, timeline sparkline, and colour-coded packet table]
git clone https://github.com/kazim-45/netspy.git
cd netspy
pip install -e .Packet capture requires root on Linux/macOS (Scapy needs raw socket access).
# Start the dashboard (opens browser automatically)
sudo netspy
# Custom port
sudo netspy --port 8080
# Expose on your local network so other devices can view it
sudo netspy --host 0.0.0.0
# Don't open browser automatically
sudo netspy --no-browser
# Help
netspy --helpThen in the browser:
- Pick a network interface from the dropdown (or leave blank for auto-detect)
- Optionally enter a BPF filter — e.g.
tcp port 443orhost 192.168.1.1 - Press ▶ START — packets stream in live
- Use the filter buttons to focus on TCP / UDP / DNS / HTTP / suspicious traffic
- Search by IP, port, or keyword in the search box
Sidebar — live counters
- Total packet count and bytes captured
- Per-protocol breakdown: TCP, UDP, DNS, ICMP, ARP
- Top 5 source IPs (who's sending the most traffic)
- Top 5 destination IPs (where traffic is going)
- Top 8 services by port (HTTP, HTTPS, DNS, SSH, etc.)
Chart row
- Protocol donut — visual split of traffic by type, updates every second
- Packets/sec sparkline — the last 60 seconds of traffic volume
Packet table
- Every captured packet: time, protocol pill, source, destination, length, info
- Colour coded by severity: 🔴 danger (Telnet, RDP), 🟡 warning (SSH attempts), normal
- Filters: ALL / TCP / UDP / DNS / HTTP / HTTPS / ICMP / ARP / ⚠ SUSPICIOUS
- Search box: filter by IP address, port number, or any info string
- Auto-scrolls as packets arrive; stops auto-scrolling when you scroll up
BPF (Berkeley Packet Filter) is the standard syntax for filtering captured traffic. Enter these in the filter box before pressing START:
| Filter | What it captures |
|---|---|
tcp port 80 |
HTTP traffic only |
tcp port 443 |
HTTPS traffic only |
host 8.8.8.8 |
Traffic to/from Google DNS |
src net 192.168.1.0/24 |
All traffic from your LAN |
icmp |
Ping traffic only |
not port 22 |
Everything except SSH |
udp port 53 |
DNS queries only |
| Severity | Colour | Examples |
|---|---|---|
| Danger | Red | Telnet (port 23) — plaintext credentials, RDP (3389) |
| Warning | Yellow | SSH connection attempts (SYN without ACK), SMB (445) |
| Info | Blue | ICMP pings, ARP requests |
| Normal | Teal | HTTP, HTTPS, DNS, standard TCP/UDP |
NetSpy runs two things at once:
Capture thread — Scapy's sniff() runs in a background thread, calling a callback for every packet. The callback parses the packet into a structured dict (protocol, IPs, ports, flags, info string, severity) and appends it to a thread-safe ring buffer capped at 500 packets.
Flask server — serves the dashboard HTML and exposes a JSON API. The browser polls /api/packets?since=N every second, fetching only packets it hasn't seen yet. It also polls /api/stats for the sidebar counters and timeline data.
This design means the capture engine and the web UI are completely decoupled — the sniffer never waits on the browser, and the browser never blocks the sniffer.
TCP, UDP, ICMP, ARP, DNS, HTTP, HTTPS, SSH, FTP, SMTP, Telnet, RDP, SMB, MySQL, PostgreSQL, Redis, MongoDB — automatically identified by port number with human-readable labels.
netspy/
├── netspy_pkg/
│ ├── __init__.py
│ ├── capture.py ← Scapy sniffer, packet parser, ring buffer
│ ├── app.py ← Flask routes and JSON API
│ └── cli.py ← netspy command entry point
├── templates/
│ └── dashboard.html ← single-file dashboard (HTML + CSS + JS)
├── pyproject.toml
├── requirements.txt
└── README.md
Only capture traffic on networks you own or have explicit permission to monitor. Capturing traffic on public or corporate networks without authorization is illegal in most countries. Use NetSpy on your own machine or home lab only.
MIT — use it, fork it, build on it.
Built by kazim-45 — part of a cybersecurity CLI toolkit alongside MetaHunter, MilkyWay-CTF, PassAudit, and LogWatch.