NetHawk

Real-time network traffic analysis in your terminal.

SSH into a server. Run nethawk. See everything hitting your network. One 5MB binary, zero config, no cloud.

Install (Linux / macOS)

curl -sSfL https://raw.githubusercontent.com/Flowtriq/nethawk/main/install.sh | sudo sh

View on GitHub Download Binary Discord

What It Does

Live Traffic Dashboard

Bandwidth (Gbps/Mbps), packet rate (PPS), 60-second sparkline history, peak tracking. Updates every second.

Protocol Breakdown

TCP, UDP, ICMP percentages with visual bars. See your traffic composition at a glance.

Top Source IPs

Ranked by packet count. See who is sending you the most traffic, in real time.

Top Destination Ports

Which services are being hit, with percentages. Spot targeted attacks immediately.

Attack Detection

Classifies 12+ attack types in real time: DNS/NTP/memcached amplification, SYN flood, UDP flood, ICMP flood, and more.

JSON Output

Pipe structured data to jq, log aggregators, alerting systems, or any tool that reads JSON from stdin.

Attack Types Detected

DNS Amplification UDP/53

NTP Amplification UDP/123

Memcached Amplification UDP/11211

SSDP Amplification UDP/1900

LDAP Amplification UDP/389

SNMP Amplification UDP/161

CharGEN Amplification UDP/19

UDP Flood Generic

SYN Flood TCP

TCP Flood Per-port

ICMP Flood ICMP

Volumetric Mixed

How It Compares

	NetHawk	iftop	nload	bandwhich	Wireshark
Real-time TUI	Yes	Yes	Yes	Yes	GUI only
Protocol breakdown	Yes	No	No	No	Yes
Top source IPs	Yes	Connections	No	Per-process	Yes
Top dest ports	Yes	No	No	No	Yes
Attack detection	Yes	No	No	No	No
Attack classification	12+ types	No	No	No	No
JSON output	Yes	No	No	No	Yes
Single binary	5MB	No	No	Yes	No
Zero config	Yes	Yes	Yes	Yes	No

Need production DDoS protection?

NetHawk shows you what is hitting your network. Flowtriq stops it automatically with 24/7 monitoring, auto-mitigation, alerting, team dashboards, and incident forensics.

Start Free Trial See Features

Other Open Source from Flowtriq

ftagent-lite

Lightweight Python DDoS monitor. Single file, pip install, JSON output. Standalone or paired with Flowtriq.

pfSense/OPNsense Integration

DDoS detection for pfSense and OPNsense firewalls via NetFlow export.

FAQ

Frequently Asked Questions

What is NetHawk?

NetHawk is a free, open-source terminal-based network traffic analyzer. It shows real-time bandwidth, packet rates, protocol breakdown, top source IPs, top destination ports, and automatic DDoS attack detection. One 5MB binary, zero configuration, no cloud, no accounts.

How does NetHawk detect DDoS attacks?

NetHawk classifies traffic patterns every second. When packets per second exceed your threshold, it identifies the attack vector: DNS amplification, NTP amplification, memcached, SSDP, SYN flood, UDP flood, TCP flood, ICMP flood, and volumetric mixed-protocol attacks. Severity levels range from NORMAL to CRITICAL (5x threshold).

How is NetHawk different from iftop or nload?

iftop shows connections, nload shows bandwidth graphs. NetHawk shows both plus protocol breakdown, top source IPs, top destination ports, attack detection, attack classification, and JSON output for piping to other tools. It is the only single-binary TUI tool that detects and classifies DDoS attacks.

Is NetHawk related to Flowtriq?

NetHawk is built by the Flowtriq team and released as open source under the MIT license. It is a standalone visibility tool. For production DDoS protection with automated mitigation, alerting, team dashboards, and incident forensics, use Flowtriq (flowtriq.com).

What languages and platforms does NetHawk support?

NetHawk is written in Go and compiles to a single static binary. It runs on Linux (x86_64, arm64) and macOS. It uses libpcap for packet capture, which is available on all major distributions.

Can I use NetHawk in scripts and automation?

Yes. Run nethawk -json to get structured JSON output every second. Pipe it to jq, log aggregators, alerting systems, or any tool that reads JSON from stdin.