The catalog
Each view is its own keybinding, its own ring buffer, its own protocol or synthesis. Press Tab to cycle. Press o for the composite dashboard, l for the OSI grid. Press / in any list view to filter.
Observation data straight from the wire / kernel
What your host already sees, surfaced as live panels. No inference, no aggregation — just the data with a useful column layout and protocol-aware colouring.
| Key | View | What it shows |
|---|---|---|
| 1 | Interfaces | Per-interface RX/TX rates, errors/drops, MTU, link speed, sparkline history. |
| 2 | Connections | Active TCP/UDP sockets with PID, RTT, retransmits, per-conn bandwidth. |
| 3 | WiFi | Nearby APs from nl80211 scan: signal, channel, encryption. |
| 4 | Packets | Live pcap capture with BPF filter, hex detail panel, pcap export. |
| 5 | Processes | Process tree with fold / unfold. |
| 6 | Stats | Session totals — bytes, packets, rates per interface since reset. |
| 7 | Probe | 802.11 probe-request sniffer — unassociated clients and the SSIDs they're looking for. |
| 8 | ARP | Layer-2 neighbour table with OUI vendor lookup. |
| 9 | mDNS | Bonjour / Zeroconf service table from passive UDP/5353. |
| 0 | NBNS | NetBIOS Name Service table from UDP/137. |
| d | DHCP | Live DHCP event log: DISCOVER / REQUEST / ACK. |
| s | SSDP | UPnP device table from UDP/1900 NOTIFY / M-SEARCH. |
| b | Beacons | Passive 802.11 beacon sniffer — pairwise cipher / AKM / MFP from the RSN IE, hidden-SSID reveal from probe-responses. |
| a | Deauth | 802.11 deauth / disassoc frames; flood detection per target MAC. |
| h | HTTP | Plaintext HTTP requests: method, host, path. |
| t | TLS | TLS ClientHello log: SNI host, version, and JA3 fingerprint. |
| u | QUIC | QUIC Initial packets: version + DNS-resolved host. |
| r | DNS | DNS query / response log: qname, qtype, answer, NXDOMAIN. |
| p | NTP | NTP traffic: mode, stratum, reference ID. |
| i | ICMP | ICMPv4 + ICMPv6 with named types (Echo, Unreachable, Neigh Sol, …). |
Synthesis derived from observation
Rule outputs, joined records, and at-a-glance composites. Synthesis views read snapshot state and produce a different lens on what the observation views already captured.
| Key | View | What it shows |
|---|---|---|
| v | Alerts | Rule-derived events: port scans, deauth floods, NXDOMAIN bursts, threat-intel domain hits, threat-intel IP hits, periodic beaconing. |
| g | Devices | One record per MAC, joined from ARP / DHCP / Beacons / Probe / Stations with OUI vendor. |
| o | Dashboard | Composite at-a-glance view: interfaces, conns + top hosts, packets, and seven side-panel categories tiled to fill the terminal. |
| l | OSI stack | Seven-layer grid: every count sloth observes mapped onto its OSI layer — L7 application protocols, L6 TLS-version histogram, L5 sessions, L4 transport split, L3 host count, L2 ifaces / APs / STAs, L1 probe iface. |
WiFi SIGINT (v1.1) passive 802.11 SIGINT
Sloth's deep 802.11 capabilities — per-MAC PNL aggregation, RSN inventory, EAPOL capture for offline crack, MAC-randomisation deanonymisation, and association tracking. Built on top of the standard observation views.
| Key | View | What it shows |
|---|---|---|
| k | PNL | Per-MAC Preferred Network List — every directed probe-request's source MAC aggregated with the unique set of SSIDs it has probed for. Randomised MACs are flagged. A device's PNL fingerprints its owner. |
| e | EAPOL | Captured EAPOL-Key frames + 4-way handshake state machine. M1 with a PMKID KDE = one-frame offline-crack vector. M1+M2 = full handshake. --eapol-dir DIR writes captures in hashcat 22000 format. |
| j | Seqnum | Sequence-number-based MAC-randomisation deanonymisation. Pairs of MACs whose seqnum trails overlap within 64 seqnums / 30 s are the same physical radio across a MAC rotation. |
| w | Assoc | Client ↔ AP association inventory. Each row is a (BSSID, STA) pair sloth has observed confirmation for: EAPOL handshake completed, assoc-response status=0, or reassoc-response status=0. Disassoc / deauth removes the entry. |
| m | Channel | Per-channel activity histogram — APs with a beacon and associated STAs on each channel. |
Work everywhere, regardless of which view is active.
| Key | Action | |
|---|---|---|
| Tab | Cycle | Next view, in keybind order. |
| n | DNS resolve | Toggle DNS hostname resolution (in conn / proc / stats views). |
| / | Filter | Filter the current log view. Type to refine, Enter to commit, Esc to cancel. |
| \ | Clear filter | Drop the current filter. |
| q | Quit | Exit sloth (clean shutdown of capture thread, jsonl flush, pcap close). |
| ? | Help | Up-to-date reference card. |