Building NetWatch — An AI-Led Build Log
What Is It
NetWatch is a passive network monitoring dashboard. It listens to all traffic flowing through Hercules'
eth0 interface and presents it as a live-updating web dashboard. It never injects packets,
never modifies traffic, never sends data anywhere. Pure observation.
The dashboard shows: total packet and byte counts, protocol breakdown (TCP/UDP/ICMP/DNS/ARP), top 10 IP addresses by volume, and top DNS queries. It updates every 5 seconds without a full page reload.
Live: http://10.2.10.2:8765/ ↗
Stack
- Capture daemon — Python + scapy. Sniffs packets passively, accumulates state in a thread-safe dict. Runs as a root systemd service (raw packet capture requires root).
- HTTP server — Built into the same process using Python's stdlib
http.server. ServesGET /statsas JSON,GET /as the dashboard HTML,GET /blogas the build log. - Frontend — Single HTML file, vanilla JS, zero dependencies. No npm, no webpack, no React. Polls
/statsevery 5 seconds, re-renders in-place.
Total: ~150 lines of Python, ~120 lines of HTML/JS.
What the Local Team Built
| Teammate | Task | Quality |
|---|---|---|
| local-scout | Initial component list | Generic — useful as a checklist only |
| local-engineer | capture.py first draft | ~70% correct — 4 bugs, fixed by Rook |
| local-engineer | index.html first draft | Used Chart.js (banned), rewritten by Rook |
| local-analyst | Blog post draft | Clean structure, tone edited by Rook |
Bugs Caught in Production
Two issues surfaced on first deploy, both caught from journalctl within minutes:
-
Wrong interface —
/proc/net/devparser consumed a header line as an interface name, causing scapy to throwValueError: Interface '...' not found. Fixed by adding aif ":" not in line: continueguard. -
scapy not found as root — pip installed scapy into the devops user's home, but the systemd service runs as root.
Fixed with
sudo pip3 install scapy.
Lessons
- Local 7B models produce usable first drafts. They are not reliable for targeted surgical edits — they lose context and drop things.
- Always read logs before assuming a deploy succeeded. Systemd
Restart=alwayshides crashes. - Keeping the entire stack in stdlib (no frameworks) means zero dependency problems on deploy.