Skip to content

word-sys/netmonsec

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
config
config
 
 
dashboard
dashboard
 
 
src
src
 
 
.gitignore
.gitignore
 
 
CMakeLists.txt
CMakeLists.txt
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

NetMonSec — Whole-Network Intelligence Platform

A production-grade network monitoring system written in C++17 that captures and analyzes every packet on your network at the kernel level. Provides per-device visibility into every incoming and outgoing connection with full Layer 2–7 decoding, a real-time REST API, and a React web dashboard.

Features

Category Capability
Capture Multi-NIC simultaneous capture, SPAN/mirror port support, promiscuous mode
Discovery Passive ARP, LLDP, mDNS, DHCP, NetBIOS, SSDP device discovery — no active scanning
Parsing Full L2 (Ethernet, VLAN 802.1Q/QinQ) + L3 (IPv4/IPv6 with all header fields) + L4 (TCP flags/seq/window/options, UDP, ICMP)
DPI L7 fingerprinting: HTTP, TLS/SNI, DNS, SSH, SMB, RDP, SMTP, FTP, QUIC, MySQL, Redis, MQTT, SSDP, and more
Flow tracking TCP state machine (SYN→ESTABLISHED→TIME_WAIT), RTT, jitter, retransmit detection
Per-device Every inbound/outbound/lateral connection per device with bytes, RTT, SNI, geo-IP
OS fingerprint Passive p0f-style identification from TCP SYN (TTL, window, MSS, options)
Anomaly Port scan (vertical/horizontal), SYN flood, traffic spike, DNS tunneling, NXDOMAIN rate, data exfiltration, lateral movement
Storage SQLite (devices/alerts/flows) + rotating daily CSV logs + optional InfluxDB
API REST JSON API (8 endpoints) + WebSocket live event feed
Dashboard React web UI: Overview, Device List, Device Detail, Live Flows, Alerts, D3 Topology graph
Concurrency Lock-free SPSC ring buffer, sharded flow/device tables, CPU-pinned capture threads

Requirements

# Debian / Ubuntu
sudo apt install build-essential cmake libpcap-dev libsqlite3-dev zlib1g-dev

# Fedora / RHEL
sudo dnf install cmake libpcap-devel sqlite-devel zlib-devel gcc-c++

# Node.js (for dashboard build)
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo bash -
sudo apt install nodejs

Build

# Clone and build
git clone https://github.com/your-org/netmonsec.git
cd netmonsec

cmake -B build -DCMAKE_BUILD_TYPE=Release -DWITH_TUI=ON -DWITH_INFLUXDB=ON
cmake --build build --parallel $(nproc)

# Grant capture capability (avoids running as root)
sudo setcap cap_net_raw,cap_net_admin+eip build/netmonsec

Build the dashboard (optional)

cd dashboard
npm install
npm run build          # outputs to src/ui/static/

Usage

./build/netmonsec [options]

Options:
  -c <path>   Config file           (default: config/netmonsec.toml)
  -i <iface>  Override interface    (e.g. -i eth0)
  -v          Verbose / debug logs
  --list      List available interfaces and exit
  --help      Show help

Quick start

# Monitor eth0 with defaults
./build/netmonsec -c config/netmonsec.toml -i eth0

# Open dashboard
xdg-open http://localhost:8080

# REST API examples
curl http://localhost:8080/api/v1/stats
curl http://localhost:8080/api/v1/devices
curl http://localhost:8080/api/v1/devices/aa:bb:cc:dd:ee:ff/flows
curl http://localhost:8080/api/v1/alerts
curl http://localhost:8080/api/v1/topology

Config hot-reload

# Edit config/netmonsec.toml, then:
kill -HUP $(pgrep netmonsec)

Architecture

Kernel Ring Buffer (TPACKET_V3)
        |
        v  [Capture thread per NIC — CPU isolated]
 Lock-free SPSC RingBuffer (65536 slots)
        |
        v  [N-1 worker threads — ThreadPool]
 PacketParser (L2/L3/L4)
    --> ARPWatcher  (passive device discovery)
    --> LLDPWatcher (DHCP/mDNS/NetBIOS/SSDP enrichment)
    --> DPIEngine   (L7 protocol + TLS SNI)
    --> OSFingerprint (TCP SYN signatures)
    --> FlowTracker  (TCP state machine, 16 shards)
    --> DeviceTracker (per-device conn tables, 16 shards)
    --> MetricsEngine (lock-free atomic counters)
    --> AnomalyDetector (rules engine)
        |
        v  [Stats thread — 1Hz]
 MetricsEngine.tick() --> GlobalSnapshot
 AnomalyDetector.tick() --> Alerts
 FlowTracker.expire_idle() --> SQLite + CSV
        |
        v
 AlertManager --> SQLite | CSV | WebSocket
 REST API (cpp-httplib) :8080
 WebSocket feed         :8081

Kernel Tuning (optional, for high-PPS environments)

# Increase socket buffer to 64MB
sudo sysctl -w net.core.rmem_max=67108864
sudo sysctl -w net.core.rmem_default=67108864

# Increase kernel packet backlog
sudo sysctl -w net.core.netdev_max_backlog=250000
sudo sysctl -w net.core.netdev_budget=600

# Disable IRQ coalescing on capture NIC (lower latency)
sudo ethtool -C eth0 rx-usecs 0

# Make persistent
echo "net.core.rmem_max=67108864" | sudo tee -a /etc/sysctl.conf
echo "net.core.netdev_max_backlog=250000" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

REST API Reference

Method Endpoint Description
GET /api/v1/stats Global PPS, BPS, flow/device counts, protocol distribution
GET /api/v1/devices All discovered devices with summary stats
GET /api/v1/devices/:mac Single device detail
GET /api/v1/devices/:mac/flows All connections for a device
GET /api/v1/flows?limit=N Global live flow table
GET /api/v1/alerts?limit=N Alert history
GET /api/v1/topology D3-compatible network graph (nodes + links)
GET /api/v1/health Liveness check

Data Directory Layout

data/
  netmonsec.db          SQLite — devices, alerts, flows
  packets_YYYYMMDD.csv  Raw packet metadata log (sampled 1/100)
  alerts_YYYYMMDD.csv   All alerts with detail
  flows_YYYYMMDD.csv    Expired flow summaries
  netmonsec.log         Application log

License

See LICENSE.

About

Network Security Monitor

Resources

Readme

License

GPL-3.0 license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages