Real-time network surveillance tool for discovering IoT devices, monitoring their traffic, intercepting DNS queries, and inspecting packet-level data on your local network.
Built in response to growing concerns about IoT devices being exploited as residential proxies and botnet nodes. NetSentry gives you full visibility into what every device on your network is doing.
- ARP-based device scanning β discovers all devices on your local subnet
- Vendor identification via MAC address OUI lookup
- Device type classification β routers, phones, smart TVs, security cameras, robot vacuums, IoT sensors, and more
- Smart iconography β 15+ SVG icons mapped to device types and vendors
- Real-time packet capture via
tcpdumpwith ASCII payload extraction - Per-device traffic monitoring β select any device to inspect its traffic
- Protocol detection β HTTP, HTTPS, DNS, SSH, FTP, MQTT, CoAP, SOCKS, and more
- TCP flag decoding β SYN, ACK, FIN, RST, PSH with human-readable labels
- Traffic statistics β packets, bytes transferred, unique destinations, risk scoring
- Built-in DNS proxy β intercepts all DNS queries when devices use your machine as DNS server
- Passive DNS monitoring β fallback
tcpdump-based DNS capture - Per-device DNS profiles β see which domains each device contacts
- Top domains ranking β identify the most contacted domains per device
- Suspicious domain detection β flags DynDNS, free TLDs, and suspicious patterns
- Connection flow diagram β visual Source β Protocol β Destination layout
- Full packet metadata β timestamp, direction, protocol, port service name, size, TCP flags
- ASCII payload viewer β see raw HTTP headers, DNS queries, and unencrypted data
- Reverse DNS lookup β automatic hostname resolution for remote IPs
- IP intelligence β links to IPinfo.io, AbuseIPDB, and Shodan for public IPs
- Related packets β group packets by connection (same src/dst pair)
- Copy to clipboard β full packet details including payload
- Replay captured requests β pre-fills destination IP, port, and protocol
- Full HTTP client β edit URL, method (GET/POST/PUT/DELETE/PATCH/HEAD/OPTIONS), headers, and body
- Response inspector β status code, timing, response headers, and full response body
- Supports HTTPS β with self-signed certificate tolerance
- Per-device risk scoring (0-100) based on traffic patterns
- Alert system β detects proxy ports, botnet indicators, suspicious DNS, and anomalies
- Severity levels β low, medium, high, critical with visual indicators
- Protocol distribution β donut chart showing traffic breakdown
- Traffic over time β real-time line chart of inbound/outbound data
- Risk gauges β per-device risk bars with color-coded severity
- macOS or Linux (uses
tcpdumpandarp) - Node.js 18+
- sudo access (required for packet capture and DNS proxy on port 53)
# Clone the repo
git clone https://github.com/viralcode/netsentry.git
cd netsentry
# Install dependencies
npm install
# Run with sudo (required for tcpdump and port 53)
sudo node server.jsOpen http://localhost:3000 in your browser.
- Express server starts on port 3000
- DNS proxy binds to your LAN IP on port 53
- WebSocket server initializes for real-time updates
- Dashboard is ready β click Scan Network to discover devices
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Browser (UI) β
β Device Grid β Inspector β Packet Drawer β
β DNS Log β Alerts β Charts β
ββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ
β WebSocket + REST API
ββββββββββββββββ΄βββββββββββββββββββββββββββββββββββ
β Node.js Server β
β ββββββββββββ ββββββββββββ βββββββββββββββββββ β
β β Scanner β β Capture β β DNS Proxy β β
β β (arp) β β(tcpdump) β β (UDP port 53) β β
β ββββββββββββ ββββββββββββ βββββββββββββββββββ β
β ββββββββββββββββββββββββββββββββββββββββββββ β
β β Traffic Analyzer β β
β β Risk scoring, protocol detection, β β
β β anomaly detection, alert generation β β
β ββββββββββββββββββββββββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
netsentry/
βββ server.js # Main server: Express + WebSocket + DNS Proxy
βββ lib/
β βββ scanner.js # Network scanning (arp, ping sweep)
β βββ capture.js # Traffic capture via tcpdump (with payload)
β βββ analyzer.js # Traffic analysis & risk scoring
β βββ dns-proxy.js # UDP DNS proxy server
βββ public/
β βββ index.html # Single-page dashboard
β βββ css/style.css # Glassmorphic dark theme design system
β βββ js/app.js # Frontend: WebSocket, charts, drawer, request builder
βββ package.json
To see DNS queries from all devices on your network (not just your Mac):
- Set your router's DNS server to your Mac's IP (shown in the terminal output)
- Or configure individual devices to use your Mac as DNS
| Variable | Default | Description |
|---|---|---|
PORT |
3000 |
HTTP server port |
- This tool requires root/sudo for packet capture and DNS port 53
- Only use on networks you own or have permission to monitor
- The DNS proxy forwards all queries to upstream (8.8.8.8 by default)
- The request builder can send HTTP requests to any host β use responsibly
- No data is sent externally β everything stays local
- Backend: Node.js, Express, WebSocket (
ws) - Frontend: Vanilla JS, CSS (no frameworks)
- Network:
tcpdump,arp, raw UDP sockets (DNS proxy) - Design: Glassmorphic dark theme, SVG icon system, Canvas charts
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/network-info |
Get network interface info |
| GET | /api/scan |
Trigger network scan |
| GET | /api/devices |
Get cached scan results |
| POST | /api/capture/start/:ip |
Start packet capture for device |
| POST | /api/capture/stop/:ip |
Stop capture for device |
| GET | /api/dns-log |
Get DNS query log |
| GET | /api/device-dns/:ip |
Get DNS profile for a device |
| GET | /api/lookup/:ip |
Reverse DNS + IP metadata |
| POST | /api/request-builder |
Send arbitrary HTTP request |
| GET | /api/alerts |
Get security alerts |
| GET | /api/dns-proxy/stats |
DNS proxy statistics |
MIT
Built with β and paranoia about IoT devices.