Skip to content

labirend/NetGhost

Repository files navigation

NetGhost

Real-time network security analysis in your terminal. Lightweight, cross-platform, dockerized.

NetGhost is a terminal user interface (TUI) tool for live packet capture, traffic analysis, and connection interception. It sits between Wireshark's complexity and simple CLI tools — a cyberpunk-styled dashboard where you can monitor traffic at a glance, filter by protocol, record to PCAP, and defend against unwanted connections with a single keypress.


Features

  • Live Traffic Table — real-time packet display with protocol-colored rows, newest first
  • Dashboard Panel — packet count, data volume, rate, bandwidth, active connections, uptime
  • Protocol Filters — 10 one-click filter buttons (ALL, TCP, UDP, DNS, HTTP, HTTPS, ICMP, ARP, SSH, DHCP)
  • Active Connections Panel — aggregated flows with byte counters
  • PCAP RecordingS key to start/stop saving packets to file
  • Defensive TCP ResetR key sends RST to terminate a selected TCP connection
  • IP BlockingB key to block a selected source IP
  • Play/PauseSpace or click button to freeze live traffic for free scrolling
  • Bilingual UIL key toggles between English and Turkish
  • Dark Cyberpunk Theme — neon cyan, green, magenta on deep black
  • Test / Demo ModeNETGHOST_DEV=1 simulates traffic — no root needed

Quick Start

Docker (Linux — Real Capture)

# Clone
git clone https://github.com/labirend/NetGhost.git
cd NetGhost

# Build
docker compose build

# Run (real capture — privileged container)
docker compose run netghost

# Run in demo mode (no privileges required)
NETGHOST_DEV=1 docker compose run netghost

The container runs with privileged: true and host networking for full interface access. The NET_RAW and NET_ADMIN capabilities are included but superseded by the privileged mode.

Note: Real capture via Docker is only supported on Linux hosts. macOS and Windows users should use native installation for real capture, or demo mode in Docker.

Native Installation (All Platforms)

Note: Real packet capture requires privileged access. For testing without privileges in any environment, use NETGHOST_DEV=1 for simulated traffic.

Linux:

python -m venv venv && source venv/bin/activate
pip install -r requirements.txt
sudo python -m netghost           # real capture
# or NETGHOST_DEV=1 python -m netghost  # demo mode

macOS:

python3 -m venv venv && source venv/bin/activate
pip install -r requirements.txt
sudo python3 -m netghost           # real capture (BPF)
# or NETGHOST_DEV=1 python3 -m netghost  # demo mode

Windows (PowerShell as Administrator):

python -m venv venv; .\venv\Scripts\activate
pip install -r requirements.txt
# Install Npcap from https://npcap.com (required for packet capture)
python -m netghost                 # run as Administrator
# or $env:NETGHOST_DEV=1; python -m netghost  # demo mode

Keybindings

Key Action
S Start / Stop PCAP recording
R Send TCP RST to selected connection
B Block source IP of selected packet
Space Pause / Resume live traffic
L Toggle language (EN ↔ TR)
Q Quit

Interface Layout

┌───────────────────────────────────────────────────────────────┐
│  ⛨ NetGhost v0.1.0    [eth0]    IP:192.168.1.100 │ MAC:00:1a  │
├──────────────┬────────────────────────────────────────────────┤
│  DASHBOARD   │  TRAFFIC TABLE                                 │
│  Packets:287 │  Proto  Src IP         Dst IP          Size    │
│  Data: 142KB │  TCP    10.0.0.5:443   192.168.1.100  1280     │
│  Rate: 34/s  │  DNS    8.8.8.8:53     10.0.0.5:49231  89      │
│  Bw:   1.2M  │  HTTPS  142.250.80.46  192.168.1.100  1460     │
│  Conn:  12   │  ...                                           │
│  Up:   00:34 │                                                │
│              │  CONNECTIONS PANEL                             │
│  FILTERS     │  Src            Dst            Proto  Bytes    │
│  [ALL] TCP   │  10.0.0.5      192.168.1.100  TCP    14.2K     │
│  UDP  DNS    │  8.8.8.8       10.0.0.5       DNS    2.1K      │
│  HTTP HTTPS  │  192.168.1.100 255.255.255.0  DHCP   1.4K      │
│  ICMP ARP    │                                                │
│  SSH  DHCP   │                                                │
│              │                                                │
│  [■ STOP]    │                                                │
├──────────────┴────────────────────────────────────────────────┤
│  S:Record  R:Reset  B:Block  Space:Pause  L:EN/TR  Q:Quit     │
└───────────────────────────────────────────────────────────────┘

Architecture

NetGhost/
├── Dockerfile              # Multi-stage build (python:3.11-slim)
├── docker-compose.yml      # Host networking, privileged
├── pyproject.toml          # Package metadata
├── requirements.txt        # textual, scapy, rich
├── setup.py                # Setuptools shim
├── .dockerignore
├── .gitignore
├── README.md
├── LICENSE                 # MIT
├── tests/                  # Diagnostic test scripts
└── netghost/
    ├── __init__.py
    ├── __main__.py          # `python -m netghost` entry
    ├── app.py               # Textual App — compose → push_screen
    ├── i18n.py              # Bilingual translation engine
    ├── locales/
    │   ├── en.json          # 50+ English UI strings
    │   └── tr.json          # Turkish translations
    ├── capture/
    │   ├── engine.py        # Threaded sniff loop + interface auto-detect
    │   ├── interceptor.py   # RST injection + iptables blocking
    │   └── recorder.py      # PCAP file writer
    ├── models/
    │   └── packet.py        # PacketInfo dataclass
    ├── ui/
    │   ├── css/
    │   │   └── cyberpunk.tcss   # Full theme stylesheet
    │   ├── screens/
    │   │   └── main_screen.py   # 4-zone layout, all button handlers
    │   └── widgets/
    │       ├── interface_bar.py # Shield logo, IP/MAC, recording indicator
    │       ├── dashboard.py     # 6-row summary panel
    │       ├── traffic_table.py # Newest-first deque, colored rows, filtering
    │       └── connection_panel.py  # Aggregated flow view
    └── utils/
        └── network.py      # Interface discovery helpers

Docker on Linux (Recommended for Linux Users)

# Build
docker compose build

# Run with host networking (full interface visibility)
docker compose run netghost

# Demo mode (no root, simulated traffic)
NETGHOST_DEV=1 docker compose run netghost

Note: The container runs with privileged: true — this gives full access to host network interfaces. Your user must be in the docker group. If you get a permission error, run newgrp docker and try again.

Linux Tips — One-Command Alias

Add these to your ~/.bashrc or ~/.zshrc for convenience:

# Start Docker (if not running), launch NetGhost, stop Docker on exit
alias netghost='sudo systemctl start docker && cd ${HOME}/Workspace/Cyber/Network/NetGhost && docker compose run --rm netghost; sudo systemctl stop docker; cd -'

After reloading your shell (source ~/.bashrc), simply type netghost from any directory. Press Q inside the TUI to exit — Docker is stopped automatically afterward.


Docker on macOS & Windows

⚠️ Limitation: Docker Desktop on macOS and Windows runs containers inside a Linux VM. The host networking mode cannot expose the host's physical network interfaces to the container. Real packet capture will not work in Docker on these platforms.

Install Docker Desktop:

docker compose build
NETGHOST_DEV=1 docker compose run netghost   # demo mode only

For real packet capture on macOS or Windows, use the native installation method instead.


Manual PCAP Recording

Press S to begin recording. Press S again to stop. The file is saved to the current working directory as netghost_YYYYMMDD_HHMMSS.pcap. Inside Docker this is /app/; when running natively it is wherever you launched the tool.


Development

git clone https://github.com/labirend/NetGhost.git
cd NetGhost
python -m venv venv && source venv/bin/activate
pip install -r requirements.txt

# Demo mode (no root)
NETGHOST_DEV=1 python -m netghost

Roadmap

  • Runtime interface switching
  • BPF filter expressions (text-based filtering)
  • Bandwidth timeline chart
  • GeoIP enrichment
  • Custom rule engine (alert on suspicious patterns)
  • Theme variants

License

MIT

About

Real-time network security analysis in your terminal. Lightweight, cross-platform, dockerized.

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors