Network Visibility
Gateway fingerprinting, EOL detection, WiFi security, and continuous monitoring
NWX monitors the network path from the device through the local network to the internet. It does not install kernel extensions or drivers, and does not require elevated privileges for core functionality. Most detection is passive: the client observes what is already visible from the device's network stack and enriches it with vendor-specific API integrations where credentials are available.
Gateway Identification and Fingerprinting
| Capability | macOS | Windows | Credentials Required? |
|---|---|---|---|
| Gateway vendor identification via OUI lookup (~66,000 vendors) | Yes | Yes | No |
| BSSID recovery heuristics (locally-administered MACs, radio MACs) | Yes | Yes | No |
| UniFi gateway detection + full API integration | Yes | Yes | Yes (username/password) |
| TP-Link gateway detection + encrypted API integration | Yes | No | Yes (password) |
| ASUS gateway detection + API integration | Yes | No | Yes (username/password) |
| Meraki AP detection (local status page) | Yes | No | No |
| Eero detection (mDNS/cert fingerprint) | Yes | No | No |
| Cisco detection (cert/HTTP fingerprint) | Yes | No | No |
| UPnP/SSDP device fingerprinting | Yes | No | No |
| SSL/TLS certificate inspection on gateway | Yes | No | No |
| HTTP response fingerprinting (server headers, redirects) | Yes | No | No |
| Port scanning (9 common management ports) | Yes | No | No |
| Virtual gateway detection (VRRP, HSRP, GLBP) | Yes | No | No |
What OUI detection tells you: The gateway manufacturer (e.g., "TP-Link", "Ubiquiti", "NETGEAR", "ASUS"). This works without any credentials on both platforms. Combined with UPnP and HTTP fingerprinting (macOS), it often reveals the specific model.
What full API integration tells you (when credentials are stored): Firmware version, connected clients, WiFi configuration, WAN status, security settings, and more.
Example gateway fingerprint (macOS, UPnP-discovered):
{
"host": "192.168.1.1",
"macAddress": "AA:BB:CC:DD:EE:FF",
"vendor": "TP-Link",
"model": "Archer AX21",
"hostname": "tplinkwifi.net",
"upnp": {
"friendlyName": "Wireless Router(Archer AX21)",
"manufacturer": "TP-Link",
"modelName": "Archer AX21",
"modelNumber": "5.0",
"serialNumber": "1234567890",
"firmwareVersion": "1.1.5 Build 20230913"
},
"openPorts": [80, 443],
"sslInfo": {
"commonName": "tplinkwifi.net",
"issuer": "TP-Link CA",
"validFrom": "2023-01-01",
"validTo": "2033-01-01"
}
}
End-of-Life / End-of-Support Detection
| Vendor | Entries | Platform |
|---|---|---|
| TP-Link | ~3,600 models (version- and region-aware) | macOS |
| ASUS | ~335 models (EOL + EOS dates) | macOS |
| UniFi | ~80 models (legacy/vintage classification) | macOS |
The EOL system is entirely offline. JSON databases are bundled in the app and updated with each release. No network requests at runtime.
Status model:
DeviceEOLStatus
.supported -- no banner
.announcedEOL(date) -- warning: support ending soon
.endOfSupport(date) -- critical: past security support
.vintage(notes) -- warning: limited updates
.legacy(notes) -- critical: discontinued, no updates
Example:
{
"vendor": "ASUS",
"model": "RT-N12",
"eolStatus": "legacy",
"notes": "Discontinued. Recommended replacement: RT-AX1800S",
"severity": "critical"
}
Near-term EOL expansion
| Vendor | Entries | Status |
|---|---|---|
| Netgear | ~1,020 models | Data scraped, pending integration |
| Linksys | ~4,286 models | Data scraped, pending integration |
Security Configuration Audit (ASUS)
When ASUS credentials are stored, NWX reads the router's security configuration (macOS only):
| Flag | What It Means |
|---|---|
firewallEnabled |
SPI firewall active |
sshEnabled |
SSH server exposed (risk if password is default) |
upnpEnabled |
UPnP port forwarding enabled (attack surface) |
wpsEnabled |
WPS enabled (known PIN brute-force vulnerability) |
remoteHttpEnabled |
Web admin accessible from WAN (significant risk) |
dosProtectionEnabled |
DoS protection active |
Additionally, ASUS API integration provides:
- Double-NAT detection: Compares WAN IP from the router with actual public IP
- WAN status: Connection type, WAN IP, gateway, DNS servers
- Connected clients: MAC, IP, hostname, connection type per device
WiFi Security Analysis
| Capability | macOS | Windows |
|---|---|---|
| Open network detection (no encryption) | Yes | Yes |
| Weak encryption detection (WEP, WPA-TKIP) | Yes | Yes |
| WPA2/WPA3 status reporting | Yes | Yes |
| VPN-mitigated severity adjustment | Yes | Yes |
When an open or weakly-encrypted WiFi network is detected:
- Without VPN: Critical severity (data is exposed)
- With VPN active: Warning severity (VPN provides encryption layer, but local network traffic is still exposed)
Continuous Network Health Monitoring
| Capability | macOS | Windows | Credentials Required? |
|---|---|---|---|
| Per-hop latency, loss, and jitter (5-second intervals) | Yes | Yes | No |
| WiFi RF monitoring (RSSI, noise, band, channel width, TX rate) | Yes | Yes | No |
| Network segment attribution (WiFi/LAN/ISP/VPN/transit/destination) | Yes | Yes | No |
| Impairment detection with severity (info/warning/critical) | Yes | Yes | No |
| VPN detection (active tunnel, provider identification) | Yes | Yes | No |
| Split tunnel vs. full tunnel VPN classification | Yes | Yes | No |
| DNS provider identification | Yes | Partial | No |
| Captive portal detection | Yes | No | No |
WiFi RF snapshot (included in every hop metric when on WiFi):
{
"rssi": -42,
"noise": -89,
"band": 5.0,
"ch_w": 80,
"tx_rate": 1200.0
}
Interpretation: RSSI of -42 dBm is excellent. Noise floor of -89 dBm gives an SNR of 47 dB. 80 MHz channel width on 5 GHz with a 1200 Mbps TX rate indicates WiFi 6 (802.11ax) in good conditions.
Additional Detection Capabilities
macOS (requires unsandboxed build or specific access)
| Capability | Notes |
|---|---|
| ARP monitoring / MAC-IP mapping | Maps all devices visible on the local network |
| LLDP switch/port discovery | Identifies directly-connected managed switches and ports |
| Firmware version extraction (TP-Link, UniFi, ASUS) | Requires stored credentials for each vendor |
Windows
| Capability | Notes |
|---|---|
| LLDP switch/port discovery | Requires Npcap runtime |
| UniFi gateway detection + API | Full parity with macOS |
Platform Summary
| Category | macOS | Windows |
|---|---|---|
| Gateway vendor ID (OUI) | Full | Full |
| Gateway model/firmware | Full (UPnP + SSL + HTTP + vendor APIs) | UniFi API only |
| EOL detection | 3 vendors (~4,200 models) | Not yet bundled |
| Security config audit | ASUS (6 flags) | Not yet |
| WiFi security analysis | Full | Full |
| Continuous hop metrics | Full | Full |
| WiFi RF monitoring | Full | Full |
| VPN detection + classification | Full | Full |
| Network segment attribution | Full | Full |
| LLDP discovery | Unsandboxed | With Npcap |
| ARP monitoring | Unsandboxed | Not yet |
| Captive portal detection | Yes | Not yet |
Data Examples
Hop Metric Record (production format)
{
"type": "hop_metrics",
"ts": 1770410100520,
"hop": "157.131.243.49",
"ttl": 9,
"seg": "isp",
"dur": 300,
"n": 60,
"loss": 0.0,
"avg": 12.4,
"min": 6.0,
"max": 37.7,
"jit": 3.3,
"ctx": "0000053b",
"net": "wifi",
"asn": 7922,
"wifi": {
"rssi": -27,
"noise": -89,
"band": 5.0,
"ch_w": 80,
"tx_rate": 1200.0
}
}
Impairment Event
{
"type": "impairment",
"ts": 1770411200000,
"hop": "10.1.0.1",
"ttl": 2,
"seg": "lan",
"sev": "critical",
"dur": 120.0,
"loss": 15.0,
"avg": 245.8,
"n": 24,
"ctx": "0000053b",
"net": "wifi",
"wifi": {
"rssi": -72,
"noise": -85,
"band": 2.4,
"ch_w": 20,
"tx_rate": 72.0
}
}
This impairment shows: critical-severity event at the LAN gateway, 15% packet loss, 245ms average latency, weak WiFi signal (-72 dBm on congested 2.4 GHz, only 20 MHz channel width). The attribution is clear: poor WiFi conditions are degrading the connection at the first hop.