// PORTFOLIO · DEFENSIVE TOOLING

WWWatcher

A real-time network metadata observatory for expert engineers.

WWWatcher captures packet metadata — not payloads — from every interface on the host, stores it in PostgreSQL with TimescaleDB, and surfaces it through 23 dashboard tabs covering flows, anomalies, MITRE ATT&CK mapping, geo, topology, traceroute, threat hunt, and counter-recon. Built in Rust, shipped as a single Tauri desktop app on Linux, macOS, and Windows. Single-user. Self-hosted. Your data never leaves your machine.

Rust + Tauri v2 Svelte 5 PostgreSQL + TimescaleDB Linux · macOS · Windows Single-user Self-hosted

Dashboard tabs

36→30

ATT&CK mappings

158

Tests passing

Rust crates

See the screenshots Get in touch

// LIVE · TRAFFIC TUNNEL VIEW

WWWatcher GPU traffic tunnel visualization

// CAPABILITIES

Built for engineers who need to see everything.

Eight crates · one binary · metadata observatory by design. WWWatcher is what you reach for when an off-the-shelf SIEM is too coarse and a packet sniffer is too noisy.

Metadata, Not Payloads

5-tuple, TLS SNI, JA3/JA4 fingerprints, DNS queries, TCP flags — never payload bytes. Privacy-conscious by architecture, not by toggle.

Multi-Method Traceroute

UDP + TCP SYN + ICMP probes with Paris flow consistency. Always-on route agent re-traces every external IP, builds a persistent topology graph. Native Rust raw-socket implementation.

MITRE ATT&CK Mapping

36 anomaly types mapped to 30 techniques across 11 tactics. A live ATT&CK matrix view shows where on the kill chain your traffic is sitting right now.

Threat Intel Built-In

Emerging Threats, AbuseIPDB, AlienVault OTX, abuse.ch SSLBL/URLhaus/ThreatFox, 16 HaGeZi domain feeds — 891K+ entries loaded in the background.

Behavioral Baselines

Welford rolling mean & stddev per host across four metrics, 2σ deviation alerts. Beacon detection by FFT, DGA scoring, low-prevalence C2 hunting.

Counter-Recon

Detects who's probing you — port scans, SYN scans, WiFi probe floods, deauths, BT inquiries, BLE active scans, IMSI catcher paging.

Pineapple-Class Scoring

Behavioral fingerprinting flags hostile-rig hardware regardless of MAC randomization. Karma responders, evil twins, enterprise broadcasts — all scored.

Persistent Asset Graph

Devices outlive observations. JupiterOne-style entity graph with PostgreSQL + TimescaleDB hypertables, provenance per attribute. Raw data rolls weekly; entities accumulate forever. RadioLogger feeds the same graph.

// LIVE FROM THE WORKSTATION

Thirteen views into one running session.

Captured 2026-05-09. The same WWWatcher instance, switched across 13 of its 23 dashboard tabs while the operator's home network was actively under observation.

// PII REDACTED: MAC addresses, public IPs, IPv6 EUI-64 host identifiers, hostnames containing personal identifiers, neighbor SSIDs, and ASN/org strings have been overlaid with diagonal slash bars. RFC1918 local addresses, the application UI itself, and aggregate counters are unredacted.

COMMAND · matrix waterfall

AIRSPACE · wifi + tracked

ATT&CK · live matrix

DOMAINS · 457 observed

CATEGORIES · 496 records

RULES · YAML detector editor

TOPOLOGY · 952 nodes

GLOBE · 500 IPs mapped

GPU VIZ · cyberspace

GPU VIZ · threat globe

GPU VIZ · traffic tunnel

SANKEY · 978 flows

SETTINGS · detector tuning

// COMPANION SENSOR

RadioLogger

Background radio environment logger for Android.

RadioLogger runs continuously on rooted Android devices, capturing the full radio picture — GPS, WiFi APs, cell towers, Bluetooth and BLE — into rolling CSV files. The data feeds back into WWWatcher as a remote sensor stream, extending the observatory's coverage from one machine to a fleet.

SENSORS4 channels: GPS fixes, WiFi beacons + probes, cell tower IDs + signal strength, BT/BLE inquiry + active scan
DETECTORSStingray cadence, GNSS spoof patterns, Karma/Pineapple-class actor scoring, BSSID lifetime correlation
PIPELINEPostgres asset graph: 6,657 devices · 512K+ observations · provenance per attribute
DEPLOYBuilt for the field: walks for hours, survives reboots, ships its session as a CSV bundle on demand

Android (rooted) Python ingest PostgreSQL CSV-first Threat-hunt grade

RADIOLOGGER · LIVE FEED CAPTURING

23:18:04GPS42.5584°N 70.8800°W · 14 sats · HDOP 0.8

23:18:04WIFI36 APs in beacon scan · 6 new BSSIDs

23:18:05CELLFORCED_DOWNGRADE · LTE→UMTS · cid 51053

23:18:05BT12 devices · 3 Apple-rotated · 1 Find My

23:18:06SUSPPINEAPPLE_ENTERPRISE_BROADCAST · bssid /////////

23:18:06WIFIPROBE_FLOOD · 47 SSIDs in 30s · sta /////////

23:18:07BTSCAN_REQ_FLOOD · addr ///////// · 89 reqs

23:18:07CELLSUDDEN_STRONG_CID_JUMP · +25dB · cid 14849

23:18:08GPS42.5585°N 70.8801°W · cn0 uniform: false

23:18:08CSVflushed 1,847 rows to session_20260509_231804/

// HOW THIS CONNECTS

WWWatcher and RadioLogger are the same engineering muscle that fixes enterprise platform problems — local AI handles eligible workloads at lower cost while the data stays on your infrastructure. Metadata only. Self-hosted. Single-binary. The same instinct for "observe-and-track everything, surface what matters" scales from a phone in a backpack to a Fortune 500 platform.

← SEE THE CONSULTING PRACTICE

WWWatcher

Built for engineers who need to see everything.

Thirteen views into one running session.

RadioLogger

Disclaimer