sloth — the calm, observant network monitor

Eyes on every layer of the canopy.

Sloth reads what your host already sees — /proc, /sys, rtnetlink, nl80211, INET_DIAG, and an optional libpcap stream — and synthesises it into views, alerts, and a forensic log. Nothing is injected. Nothing is solicited. The bytes you observe are bytes that were already there.

🌿

Eyes, not hands

Sloth never sends a packet, never decrypts a frame, never runs a passphrase against a captured handshake. It detects WEP, WPA-TKIP, weak TLS, evil twins, rogue DHCP, DGA-style DNS, KARMA/Pineapple — and flags them. Operating on them is the operator's job, under their own legal cover.

Read the mission →

🪶

WiFi-SIGINT depth

Per-MAC Preferred Network List aggregation. RSN / cipher / AKM / MFP inventory from beacon IEs. EAPOL / PMKID / 4-way handshake capture with hashcat-22000 export. Sequence-number based MAC-randomisation deanonymisation. Hidden-SSID reveal from probe-responses.

See the WiFi SIGINT views →

🦋

Stream it anywhere

The same JSONL records that sloth writes to -o FILE are served over a read-only stream socket (--data-socket unix: or tcp:). A reference Python consumer plus a three-sink SIEM forwarder ship in examples/ — Splunk HEC, RFC 5424 syslog, Elasticsearch Bulk API.

See the streaming section →

Twenty-seven live views,
tiled into the terminal.

Each view is a complete protocol or synthesis — its own keybinding, its own ring buffer, its own per-view documentation. Tab to cycle. Press o for the composite dashboard. Press l for the OSI synthesis grid.

 OSI / TCP-IP stack — passive observation per layer   conns:24 ifaces:2

 ────────────────────────────────────────────────────────────────────
  L7 Application    │ DNS:142  HTTP:7  TLS:88  QUIC:12  mDNS:31  NBNS:0  NTP:3
  L6 Presentation   │ TLS 1.3:74  TLS 1.2:14  legacy:0   JA3:9 distinct
  L5 Session        │ TLS sessions:88  QUIC:12  EAPOL:1
  L4 Transport      │ TCP:22 (E:14 L:6 ?:2)  UDP:2  ICMP:3
  L3 Network        │ IPv4 hosts:18  IPv6 hosts:3  ARP mappings:14
  L2 Data Link      │ ifaces:2  APs:7  STAs:11  devices:21  beacons:43
  L1 Physical       │ probe iface: wlan0mon (monitor mode)
 ────────────────────────────────────────────────────────────────────

Observation

Interfaces · Connections · WiFi · Packets · Processes · Stats · Probe · ARP · mDNS · NBNS · DHCP · SSDP · Beacons · Deauth · HTTP · TLS · QUIC · DNS · NTP · ICMP

Synthesis

Alerts · Devices · Dashboard · OSI stack

WiFi SIGINT (v1.1)

PNL · EAPOL · Seqnum · Assoc · Channel

Built for the long watch.

In manufacturing, a "dark factory" is one that runs without lights because no humans need to be on the floor. Sloth is built that way, both in its code repository and in its operational stance: the machine just watches, all night long, and tells you what it saw.

1.

Passive only.

Never injects packets. Never sends probes. Never deauths. Never beacons. Never ARP-poisons. Never modifies kernel state. It reads. It never writes to the wire.

2.

No active key recovery.

Captures EAPOL / PMKID material and exports it in hashcat 22000 format. Doesn't run a passphrase against it. That step is the operator's responsibility, on the operator's clock, on hardware they own, against a target they're authorised to test.

3.

Vulnerabilities flagged, not exploited.

WEP, WPA-TKIP, MFP-off, weak TLS, attack-tool user-agents, evil twins, rogue DHCP, DGA-style DNS, deauth floods, KARMA / Pineapple behaviour, dnscat / iodine tunnels, ARP spoofing. Detection emits an alert. It never follows up with an active step.

4.

White hat only.

Built for defenders, blue teams in a SOC, incident responders, researchers, CTF and training environments, and security-aware travellers who want to know what the café Wi-Fi is doing. Not for surveillance, harassment, or operating against any network you don't have written authority to observe.

“Sloth is a passive, white-hat SIGINT console: it watches, it flags, it never attacks.”

Plug into the rest of your stack.

One JSON object per line, terminated by \n. File sink (-o FILE) for log forwarders. Stream sink (--data-socket SPEC) for live consumers, with per-client backpressure isolation. Both deliver the same records.

sh Splunk HEC

python3 examples/forwarder/sloth-forward.py \
    unix:/tmp/sloth.sock \
    --sink hec \
    --hec-url       https://splunk.example.com:8088/services/collector \
    --hec-token-env SLOTH_HEC_TOKEN

sh Elasticsearch (rolled daily)

python3 examples/forwarder/sloth-forward.py \
    unix:/tmp/sloth.sock \
    --sink elastic \
    --es-url       https://elastic.example.com:9200 \
    --es-index     'sloth-events-%Y.%m.%d' \
    --es-api-key-env SLOTH_ES_API_KEY

sh RFC 5424 syslog (UDP)

python3 examples/forwarder/sloth-forward.py \
    unix:/tmp/sloth.sock \
    --sink syslog \
    --syslog-host siem.example.com \
    --syslog-port 514

json One record per line

{"type":"alert","ts":1700000006,
 "title":"THREAT_DOMAIN",
 "detail":"192.168.1.5 queried malware.testing.com",
 "key":"threat-d:malware.testing.com",
 "sev":2,"ty":3,"count":1}

The sink interface is two members (.name, .send(batch)). Adding Loki, Datadog, OpenSearch, or a generic webhook is ~30 lines. Full streaming guide →

Quickstart.

One binary. No daemon. No config file. Build it, point it at an interface, watch what your host sees.

1. Install dependencies (Debian / Ubuntu)

sudo apt-get install -y \
    build-essential \
    libpcap-dev \
    libncursesw5-dev

2. Build

cd sloth
make test    # 2,122 assertions, no root needed
make         # builds ./sloth

3. Run (needs `CAP_NET_RAW`)

sudo ./sloth                              # TUI on default iface
sudo ./sloth -i eth0                      # pin capture iface
sudo ./sloth -o /var/log/sloth.jsonl      # forensic stream
sudo ./sloth --data-socket unix:/tmp/sloth.sock
sudo ./sloth --eapol-dir /tmp/sloth-eapol # WiFi handshake export

4. Inside sloth

1–0 direct view jumps. Tab cycles. o dashboard. l OSI stack. ? help. q quit. Filter any list view with /.

The calm, observantnetwork monitor.