A real-time, self-hosted network monitoring dashboard with a Palantir-style dark UI. Visualizes live device topology, traffic flows, connection feeds, bandwidth timelines, and protocol distributions for your local network.
- Topology Graph — force-directed map of every device on your LAN with animated traffic edges
- Live Connection Feed — streaming packet capture (src/dst IP, protocol, port, bytes)
- Bandwidth Timeline — per-device and aggregate traffic over selectable time windows
- Top Talkers — ranked devices by outbound traffic volume
- Protocol Distribution — donut chart of DNS, HTTP, TLS, ARP, ICMP, etc.
- Device Panel — MAC address, vendor, hostname, open ports, OS guess, first/last seen
- Windows 10/11 (64-bit)
- Python 3.12+
- Node.js 20+
-
Nmap — https://nmap.org/download.html
- During install, check "Add Nmap to PATH"
- Used for port scanning and OS fingerprinting
-
Npcap — https://npcap.com/
- During install, check "Install Npcap in WinPcap API-compatible Mode"
- Required for raw packet capture (replaces deprecated WinPcap)
-
Wireshark (optional but recommended) — https://www.wireshark.org/download.html
- Provides
tsharkfor deep protocol dissection - If not installed, pyshark features are skipped gracefully
- Provides
# Must run as Administrator for packet capture and SYN scanning
cd backend
pip install -r requirements.txtEdit config.py if you want to pin a specific network interface or subnet. By default the backend auto-detects your primary interface and subnet.
cd frontend
npm install# Open PowerShell as Administrator
cd backend
python main.pyBackend runs at http://localhost:8000. API docs at http://localhost:8000/docs.
cd frontend
npm run devDashboard runs at http://localhost:5173.
| Setting | Default | Description |
|---|---|---|
INTERFACE |
None (auto-detect) |
Network interface name for packet capture |
SUBNET |
None (auto-detect) |
Subnet to scan, e.g. 192.168.1.0/24 |
ARP_SWEEP_INTERVAL |
30 |
Seconds between ARP sweeps for device discovery |
NMAP_SCAN_INTERVAL |
300 |
Seconds between full nmap port/OS scans |
WS_PUSH_INTERVAL |
2 |
Seconds between WebSocket pushes to frontend |
MAX_CONNECTIONS_HISTORY |
500 |
Max connection events kept in memory |
DB_PATH |
lattice.duckdb |
Path to DuckDB database file |
Browser (localhost:5173)
│
├── WebSocket /ws ──────────────────────────────────────────────┐
└── REST /api/... ─────────────────────────────────────────┐ │
│ │
FastAPI Backend (localhost:8000) │ │
┌─────────────────────────────┐ │ │
│ Scan Engine (scapy + nmap) │ │ │
│ Capture Engine (scapy) │─► DuckDB│ │
│ Enrichment (OUI + rDNS) │ │ │
│ REST API ──────────────────────────────┘ │
│ WS Broadcaster ───────────────────────────┘
└─────────────────────────────┘
DuckDB is used as an embedded database — no separate server process required. The lattice.duckdb file is created automatically on first run in the backend/ directory.
Tables:
devices— discovered devices with metadataconnections— packet-level connection eventstraffic_stats— 1-minute aggregated bandwidth per device
The backend must run as Administrator on Windows for:
- Raw packet capture (Npcap/scapy)
- SYN port scanning (nmap
-sS) - OS fingerprinting (nmap
-O)
Without admin rights, it falls back to ICMP ping discovery and TCP connect scanning (slower, less accurate).
# Backend with auto-reload
cd backend
uvicorn main:app --reload --host 0.0.0.0 --port 8000
# Frontend with HMR
cd frontend
npm run devfastapi+uvicorn— async web framework and ASGI serverscapy— packet crafting, ARP sweeps, packet capturepython-libnmap— nmap port/OS scanningduckdb— embedded columnar databasepsutil— system network interface enumerationwebsockets— WebSocket support
react+vite+typescriptvis-network— force-directed topology graphrecharts— time-series and statistical chartszustand— lightweight state managementtailwindcss— utility-first dark theme styling