Skip to content

Gappyjosuke/arp-sage

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.cargo
.cargo
 
 
Docs
Docs
 
 
assets
assets
 
 
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 
build.rs
build.rs
 
 
installer.iss
installer.iss
 
 

Repository files navigation

ARP Sage

A desktop network monitoring tool built in Rust to learn how packet capture, traffic analysis, ARP monitoring, and realtime security dashboards work internally.

What This Project Is

ARP Sage started as a simple experiment to understand how packet capture tools actually work under the hood. At first it was only reading packets from a selected network device, but over time I kept expanding it by adding protocol parsing, ARP monitoring, live traffic graphs, packet inspection, alerts, analytics, and a proper desktop interface.

The goal of the project was not to build a replacement for tools like Wireshark. The main idea was to understand the internal workflow behind realtime network monitoring systems and cybersecurity tooling by building the components manually.

The application is written in Rust using pcap for packet capture and egui for the desktop interface.

What It Currently Does

ARP Sage can capture packets from a selected network interface and display them live inside the application. It parses basic protocols like TCP and UDP, tracks source and destination IPs, maps common ports to services, and updates traffic graphs in realtime.

The project also contains a simple ARP monitoring system that keeps track of MAC/IP mappings and generates alerts when suspicious ARP behaviour is detected.

There is also a centralized alerts view where different security-related events are collected and displayed live while traffic is being captured.

The analytics section currently shows protocol distribution, traffic flow statistics, packet counts, and some basic traffic information gathered from the captured packets.

Repository Contents 📂

Section Description Link
Source Code Main Rust application source Open Source
Installer Script Inno Setup installer configuration View Installer
Assets Fonts, icons, and UI resources Open Assets
Releases Download compiled installer builds Open Releases

How Packet Capture Flows Through The Application

flowchart LR

    A[Selected Network Device]

    --> B[Npcap Driver]

    --> C[pcap Capture Layer]

    --> D[Realtime Packet Engine]

    --> E[IPv4 / TCP / UDP Parsers]

    --> F[ARP Monitoring]

    --> G[Alerts Engine]

    --> H[Traffic Analytics]

    --> I[egui Dashboard]
Loading

Installation

Note

The application requires packet capture driver support on Windows.
The installer already includes the required Npcap setup automatically.

Download

You can download the latest installer directly from the Releases section:

Download ARP Sage Installer

The downloaded file will look something like:

ARP-Sage-Setup.exe

Installing The Application

After downloading the setup file, run the installer normally like any other Windows desktop application.

During installation, the setup will also launch the Npcap installer automatically because packet capture on Windows depends on it. Without Npcap, the application would not be able to access network traffic from your system interfaces.

While installing Npcap, it is recommended to keep the default settings enabled.

Once the setup finishes, the installer creates:

  • Desktop shortcut
  • Start menu shortcut
  • Installed application files

just like a normal desktop application.

Launching ARP Sage

After installation, open ARP Sage from either:

  • Desktop shortcut
  • Start menu

When the application starts, it will scan and display the available network interfaces detected on the system.

To begin monitoring:

  1. Select the network interface you want to monitor.
  2. Start capturing traffic.
  3. The dashboard, analytics, alerts, and packet views will begin updating live as packets are received.

Depending on the selected interface and the amount of network activity on your system, traffic updates may appear immediately or after a few seconds.

Screenshots

ARP SAGE DEVICES

Things I Want To Improve Later

Right now the project mainly focuses on realtime packet monitoring and visualization. There are still many things I want to improve later including:

  • flow/session tracking
  • deeper protocol parsing
  • packet export support
  • PCAP recording
  • Linux support
  • better analytics
  • better filtering
  • protocol statistics
  • performance optimization

Why I Built This

Most of this project was built mainly out of curiosity. I wanted to understand how packet sniffers, traffic analyzers, and network monitoring tools actually work internally instead of only using them from the outside.

A lot of the project was developed incrementally by testing ideas, breaking things, rewriting systems, and gradually improving the architecture while learning Rust and low-level networking concepts along the way.

Author

Built by Sastha Ruban U

GitHub: https://github.com/Gappyjosuke

About

Real-time cybersecurity network intelligence platform built in Rust.

Topics

rust pcap arp desktop-application network-monitoring packet-sniffer cybersecurity-education

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

ARP Sage v1.0.0 Latest
May 18, 2026

Packages

 
 
 

Contributors

Languages