playbooks

home / skills / laurigates / claude-plugins / network-monitoring

network-monitoring skill

/networking-plugin/skills/network-monitoring

This skill helps you monitor real-time network traffic per process and visualize connections using bandwhich and Sniffnet for quick diagnostics.

npx playbooks add skill laurigates/claude-plugins --skill network-monitoring

Review the files below or copy the command above to add this skill to your agents.

Files (1)
skill.md
5.3 KB
---
model: haiku
created: 2026-01-01
modified: 2026-01-01
reviewed: 2026-01-01
name: network-monitoring
description: Real-time network traffic monitoring with bandwhich and Sniffnet. Per-process bandwidth tracking, connection analysis, and visual traffic inspection.
allowed-tools: Bash(iftop *), Bash(nethogs *), Bash(tcpdump *), Bash(ss *), Bash(netstat *), Read, Grep, Glob, TodoWrite
---

# Network Monitoring

Expert knowledge for real-time network traffic monitoring using modern Rust-based tools: bandwhich for CLI-based per-process bandwidth analysis and Sniffnet for visual traffic inspection.

## Core Expertise

### Why These Tools

| Tool | Type | Best For |
|------|------|----------|
| bandwhich | CLI | Per-process bandwidth, quick diagnostics, scripting |
| Sniffnet | GUI | Visual analysis, long-term monitoring, filtering |

### Key Advantages

- **Per-process visibility**: See which applications consume bandwidth (unlike traditional `iftop`)
- **Connection-level detail**: Track individual connections to remote hosts
- **Modern Rust performance**: Minimal overhead, safe memory handling
- **Cross-platform**: Works on Linux, macOS, Windows

### Privilege Requirements

Both tools require elevated privileges to capture network traffic:

```bash
# Run with sudo
sudo bandwhich

# Or grant capabilities (Linux, avoids sudo)
sudo setcap cap_net_raw,cap_net_admin+ep $(which bandwhich)
```

## Essential Commands

### bandwhich - CLI Bandwidth Monitor

#### Basic Usage

```bash
# Start monitoring (requires sudo or capabilities)
sudo bandwhich

# Monitor specific interface
sudo bandwhich -i en0
sudo bandwhich -i eth0

# Raw mode (no TUI, machine-readable)
sudo bandwhich -r

# Disable DNS resolution (faster startup)
sudo bandwhich -n
```

#### Output Modes

```bash
# Default TUI with three panels:
# - Processes (bandwidth by application)
# - Connections (bandwidth by socket)
# - Remote addresses (bandwidth by host)

# Raw output for scripting
sudo bandwhich -r
# Output: <interface>:<process>:<bytes_down>:<bytes_up>

# Combined options
sudo bandwhich -i en0 -n -r
```

#### TUI Navigation

| Key | Action |
|-----|--------|
| `Tab` | Switch between panels |
| `Up/Down` | Navigate rows |
| `q` | Quit |

### Sniffnet - GUI Traffic Monitor

#### Installation

```bash
# macOS
brew install sniffnet

# Cargo
cargo install sniffnet

# Or download from GitHub releases
# https://github.com/GyulyVGC/sniffnet/releases
```

#### Features

- Real-time traffic charts
- Filter by protocol, port, IP
- Domain and provider identification
- Geo-location of remote hosts
- Export reports

#### Launch

```bash
# GUI application (requires sudo or admin)
sudo sniffnet

# On macOS, may need to grant network access in System Preferences
```

## Common Patterns

### Diagnose High Bandwidth Usage

```bash
# Quick check: which process is using bandwidth?
sudo bandwhich -n

# Watch specific interface during download
sudo bandwhich -i en0
```

### Script-Friendly Monitoring

```bash
# Capture 10 seconds of raw data
sudo timeout 10 bandwhich -r > /tmp/bandwidth.log

# Parse raw output
cat /tmp/bandwidth.log | cut -d: -f2 | sort | uniq -c | sort -rn
```

### Compare Interface Traffic

```bash
# Monitor WiFi
sudo bandwhich -i en0

# Monitor Ethernet (separate terminal)
sudo bandwhich -i en1
```

### Identify Unexpected Connections

```bash
# Raw mode shows all connections
sudo bandwhich -r -n | grep -v "127.0.0.1" | head -20
```

## Agentic Optimizations

| Context | Command |
|---------|---------|
| Quick bandwidth check | `sudo bandwhich -n` (no DNS delay) |
| Machine-readable output | `sudo bandwhich -r` |
| Specific interface | `sudo bandwhich -i <iface> -n` |
| Capture sample | `sudo timeout 5 bandwhich -r > /tmp/bw.log` |
| Parse top processes | `sudo bandwhich -r \| cut -d: -f2 \| sort \| uniq -c` |

## Quick Reference

### bandwhich Flags

| Flag | Long | Description |
|------|------|-------------|
| `-i` | `--interface` | Monitor specific network interface |
| `-r` | `--raw` | Machine-readable output (no TUI) |
| `-n` | `--no-resolve` | Skip DNS resolution (faster) |
| `-h` | `--help` | Show help |
| `-V` | `--version` | Show version |

### Raw Output Format

```
<interface>:<process_name>:<bytes_downloaded>:<bytes_uploaded>
```

Example:
```
en0:firefox:1048576:65536
en0:curl:4096:1024
```

## Installation

### bandwhich

```bash
# macOS
brew install bandwhich

# Cargo
cargo install bandwhich

# Linux (grant capabilities to avoid sudo)
sudo setcap cap_net_raw,cap_net_admin+ep $(which bandwhich)
```

### Sniffnet

```bash
# macOS
brew install sniffnet

# Cargo
cargo install sniffnet

# GitHub releases (pre-built binaries)
# https://github.com/GyulyVGC/sniffnet/releases
```

## Troubleshooting

### Permission Denied

```bash
# Use sudo
sudo bandwhich

# Or set capabilities (Linux)
sudo setcap cap_net_raw,cap_net_admin+ep $(which bandwhich)

# Verify capabilities
getcap $(which bandwhich)
```

### Interface Not Found

```bash
# List available interfaces
ip link show        # Linux
networksetup -listallhardwareports  # macOS
ifconfig -l         # BSD/macOS

# Then specify
sudo bandwhich -i <interface_name>
```

### DNS Resolution Slow

```bash
# Disable DNS lookup
sudo bandwhich -n
```

## Resources

- **bandwhich**: https://github.com/imsnif/bandwhich
- **Sniffnet**: https://github.com/GyulyVGC/sniffnet
- **Sniffnet Wiki**: https://github.com/GyulyVGC/sniffnet/wiki

Overview

This skill provides real-time network traffic monitoring using bandwhich and Sniffnet for per-process bandwidth tracking, connection analysis, and visual traffic inspection. It combines a lightweight CLI for scripting and quick diagnostics with a GUI for visual filtering, charts, and long-term inspection. The skill focuses on actionable commands, privilege handling, and quick patterns to diagnose bandwidth issues.

How this skill works

bandwhich inspects network sockets to attribute bytes transferred to processes, interfaces, and remote hosts; it offers a TUI for interactive exploration and a raw machine-readable mode for automation. Sniffnet runs as a GUI application that visualizes traffic flows, identifies domains and providers, applies filters, and can export reports. Both tools require elevated privileges or capabilities to capture raw packets and will list available interfaces for targeted monitoring.

When to use it

  • Quickly identify which process is consuming bandwidth on a host
  • Automate short-term traffic captures for scripting or CI diagnostics
  • Visualize active connections and filter by protocol, port, or IP
  • Monitor multiple interfaces concurrently during troubleshooting
  • Gather evidence of unexpected or suspicious outbound connections

Best practices

  • Run with sudo or grant cap_net_raw and cap_net_admin on Linux to avoid permission errors
  • Use bandwhich -n to skip DNS resolution for faster startup in short checks
  • Use -i to target the correct interface when multiple network adapters exist
  • Use bandwhich -r for machine-readable output, pipe to parsing tools for automation
  • Limit capture duration with timeout during scripted sampling to reduce logs

Example use cases

  • Immediate triage: sudo bandwhich -n to see top bandwidth processes during a slow download
  • Automated sample: sudo timeout 10 bandwhich -r > /tmp/bw.log and parse for process totals
  • Visual investigation: launch Sniffnet to filter traffic by port and map remote host locations
  • Multi-interface comparison: run bandwhich -i en0 and bandwhich -i en1 in parallel to compare Wi‑Fi vs Ethernet
  • Alerting input: use raw bandwhich output as a feed to a monitoring script that triggers alerts on thresholds

FAQ

Do I need root or admin privileges?

Yes. Capturing packets requires elevated privileges; use sudo or grant the appropriate capabilities on Linux (setcap cap_net_raw,cap_net_admin+ep).

Which tool should I choose for scripting vs visual work?

Use bandwhich for CLI, automation, and per-process metrics; use Sniffnet for interactive visual analysis, filtering, and reports.