{"id":51236581,"url":"https://github.com/Flowtriq/nethawk","last_synced_at":"2026-07-04T11:00:44.715Z","repository":{"id":366209521,"uuid":"1275460514","full_name":"Flowtriq/nethawk","owner":"Flowtriq","description":"Real-time network traffic analysis in your terminal.","archived":false,"fork":false,"pushed_at":"2026-06-20T18:33:22.000Z","size":302,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-20T20:06:19.207Z","etag":null,"topics":["cli","ddos","ddos-detection","go","network-monitoring","network-security","packet-capture","pcap","security","terminal","traffic-analysis","tui"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Flowtriq.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-20T18:06:19.000Z","updated_at":"2026-06-20T19:08:03.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Flowtriq/nethawk","commit_stats":null,"previous_names":["flowtriq/nethawk"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/Flowtriq/nethawk","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flowtriq%2Fnethawk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flowtriq%2Fnethawk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flowtriq%2Fnethawk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flowtriq%2Fnethawk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Flowtriq","download_url":"https://codeload.github.com/Flowtriq/nethawk/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flowtriq%2Fnethawk/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35118971,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-04T02:00:05.987Z","response_time":113,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","ddos","ddos-detection","go","network-monitoring","network-security","packet-capture","pcap","security","terminal","traffic-analysis","tui"],"created_at":"2026-06-28T21:00:25.569Z","updated_at":"2026-07-04T11:00:44.709Z","avatar_url":"https://github.com/Flowtriq.png","language":"Go","funding_links":[],"categories":["Networking"],"sub_categories":["Transliteration"],"readme":"\u003ch1 align=\"center\"\u003e◆ NetHawk\u003c/h1\u003e\n\n\u003ch3 align=\"center\"\u003eReal-time network traffic analysis in your terminal.\u003c/h3\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#install\"\u003eInstall\u003c/a\u003e •\n  \u003ca href=\"#usage\"\u003eUsage\u003c/a\u003e •\n  \u003ca href=\"#features\"\u003eFeatures\u003c/a\u003e •\n  \u003ca href=\"#json-mode\"\u003eJSON Mode\u003c/a\u003e •\n  \u003ca href=\"#attack-detection\"\u003eAttack Detection\u003c/a\u003e •\n  \u003ca href=\"#contributing\"\u003eContributing\u003c/a\u003e •\n  \u003ca href=\"https://discord.gg/SsTWMYuyGG\"\u003eDiscord\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/Flowtriq/nethawk/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/Flowtriq/nethawk?style=flat-square\u0026color=00d4aa\" alt=\"Release\"\u003e\u003c/a\u003e\n  \u003ca href=\"LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-MIT-blue?style=flat-square\" alt=\"License\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/Flowtriq/nethawk/actions\"\u003e\u003cimg src=\"https://img.shields.io/github/actions/workflow/status/Flowtriq/nethawk/build.yml?style=flat-square\" alt=\"Build\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://goreportcard.com/report/github.com/Flowtriq/nethawk\"\u003e\u003cimg src=\"https://goreportcard.com/badge/github.com/Flowtriq/nethawk?style=flat-square\" alt=\"Go Report\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://discord.gg/SsTWMYuyGG\"\u003e\u003cimg src=\"https://img.shields.io/discord/1234567890?style=flat-square\u0026label=discord\u0026color=5865F2\" alt=\"Discord\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/Flowtriq/nethawk/main/.github/demo.gif\" alt=\"NetHawk Demo\" width=\"700\"\u003e\n\u003c/p\u003e\n\n---\n\nSSH into a server. Run `nethawk`. See everything hitting your network in real time.\n\nNo config files. No databases. No web servers. One 5MB binary.\n\n## Install\n\n### One-liner (Linux/macOS)\n\n```bash\ncurl -sSfL https://raw.githubusercontent.com/Flowtriq/nethawk/main/install.sh | sudo sh\n```\n\n### From source\n\n```bash\ngo install github.com/Flowtriq/nethawk/cmd/nethawk@latest\n```\n\n### From release\n\nDownload the binary for your platform from [Releases](https://github.com/Flowtriq/nethawk/releases).\n\n### Prerequisites\n\nNetHawk uses `libpcap` for packet capture:\n\n- **Linux (Debian/Ubuntu):** `sudo apt install libpcap-dev`\n- **Linux (RHEL/CentOS):** `sudo yum install libpcap-devel`\n- **macOS:** included with the system\n\n## Usage\n\n```bash\n# auto-detect interface, default threshold\nsudo nethawk\n\n# specify interface\nsudo nethawk -i eth0\n\n# custom attack detection threshold (PPS)\nsudo nethawk -i eth0 -t 100000\n\n# JSON output (for piping to other tools)\nsudo nethawk -json\n\n# list available interfaces\nnethawk -list\n```\n\nRoot is required because raw packet capture needs it. That's the same as tcpdump, Wireshark, or any other packet capture tool.\n\n## Features\n\n### Real-Time Traffic Dashboard\n\n- **Bandwidth and packet rate** — live Gbps/Mbps and PPS with peak tracking\n- **60-second sparkline** — color-coded traffic history at a glance\n- **Protocol breakdown** — TCP, UDP, ICMP percentages with visual bars\n- **Top source IPs** — who's sending you the most traffic, ranked by packet count\n- **Top destination ports** — which services are being hit, with percentages\n\n### Attack Detection\n\nNetHawk classifies traffic patterns in real time. When packets per second exceed your threshold, it identifies the attack vector:\n\n| Severity | Trigger | Color |\n|----------|---------|-------|\n| NORMAL | Below threshold | Green |\n| MEDIUM | 1x threshold | Yellow |\n| HIGH | 2x threshold | Orange |\n| CRITICAL | 5x threshold | Red |\n\nAttack types detected:\n\n- DNS Amplification (UDP/53)\n- NTP Amplification (UDP/123)\n- Memcached Amplification (UDP/11211)\n- SSDP Amplification (UDP/1900)\n- LDAP Amplification (UDP/389)\n- SNMP Amplification (UDP/161)\n- CharGEN Amplification (UDP/19)\n- UDP Flood\n- SYN Flood\n- TCP Flood (with port identification)\n- ICMP Flood\n- Volumetric (mixed protocol)\n\n### JSON Mode\n\nPipe structured data to jq, custom alerting, log aggregation, or anything else:\n\n```bash\nsudo nethawk -json | jq '.severity'\n```\n\n```json\n{\n  \"timestamp\": \"2026-06-20T14:30:00Z\",\n  \"interface\": \"eth0\",\n  \"pps\": 234000,\n  \"bps\": 1240000000,\n  \"tcp_pct\": 45.2,\n  \"udp_pct\": 42.1,\n  \"icmp_pct\": 12.7,\n  \"unique_src_ips\": 847,\n  \"top_sources\": [\n    {\"ip\": \"192.168.1.100\", \"count\": 89000}\n  ],\n  \"top_ports\": [\n    {\"port\": 53, \"protocol\": \"UDP\", \"count\": 98700, \"percent\": 42.1}\n  ],\n  \"avg_pkt_size\": 512,\n  \"severity\": \"NORMAL\"\n}\n```\n\n## How It Works\n\nNetHawk captures packets directly from your network interface using libpcap. Every second, it aggregates:\n\n1. **Packet and byte counters** — total throughput\n2. **Protocol classification** — L4 protocol of each packet\n3. **Source IP tracking** — unique source IPs (capped at 100K to bound memory)\n4. **Destination port tracking** — which ports are receiving traffic\n5. **Attack classification** — compares current PPS against threshold, identifies vector from protocol/port patterns\n\nEverything runs in-process. No data leaves the machine. No cloud. No accounts. No phone-home.\n\n## Comparison\n\n| | NetHawk | iftop | nload | bandwhich | Wireshark |\n|--|---------|-------|-------|-----------|-----------|\n| Real-time TUI | Yes | Yes | Yes | Yes | No (GUI) |\n| Protocol breakdown | Yes | No | No | No | Yes |\n| Top source IPs | Yes | Connections | No | Per-process | Yes |\n| Top dest ports | Yes | No | No | No | Yes |\n| Attack detection | Yes | No | No | No | No |\n| Attack classification | Yes | No | No | No | No |\n| JSON output | Yes | No | No | No | Yes |\n| Single binary | Yes | No | No | Yes | No |\n| Zero config | Yes | Yes | Yes | Yes | No |\n\n## For production DDoS protection\n\nNetHawk shows you what's hitting your network. If you need something that **stops** it automatically — 24/7 monitoring, auto-mitigation, alerting, team dashboards, incident forensics — check out [Flowtriq](https://flowtriq.com).\n\n## Contributing\n\nContributions welcome. Some ideas:\n\n- **Detection algorithms** — new attack vector classifiers\n- **Output formats** — CSV, InfluxDB line protocol, Prometheus metrics\n- **GeoIP enrichment** — map source IPs to countries/ASNs\n- **Historical views** — longer time windows, scrollable history\n- **Interface switching** — toggle between interfaces in the TUI\n\n```bash\ngit clone https://github.com/Flowtriq/nethawk\ncd nethawk\nmake build\nsudo ./bin/nethawk\n```\n\n## Learn More\n\n- [NetHawk on GitHub](https://github.com/Flowtriq/nethawk) - Source code, issues, and releases\n- [Start Free Trial](https://flowtriq.com/signup) - 14-day free trial, no credit card required\n- [Flowtriq](https://flowtriq.com) - Real-time DDoS detection and mitigation\n\n## Get Started with Flowtriq\n\nNetHawk shows you what's hitting your network. For 24/7 automated protection, start your free 14-day trial at [flowtriq.com/signup](https://flowtriq.com/signup).\n\n## License\n\nMIT. See [LICENSE](LICENSE).\n\n---\n\nBuilt by [Flowtriq](https://flowtriq.com) - Real-time DDoS detection and mitigation.\n\n## See also\n\n- [ftagent-lite](https://github.com/Flowtriq/ftagent-lite) — lightweight Python DDoS monitor (single-file, pip install, JSON output)\n- [Flowtriq](https://flowtriq.com) — managed DDoS detection and mitigation platform\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FFlowtriq%2Fnethawk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FFlowtriq%2Fnethawk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FFlowtriq%2Fnethawk/lists"}