Overview

Netwatch is a self-hosted network monitoring tool. It consists of three components that work together:

  • Server — receives reports from agents and serves data to the dashboard
  • Agent — scans your local network and sends device data to the server
  • Dashboard — displays all your locations and devices in one interface

All data stays on your own infrastructure. CoreOutpost has no access to your network data.

Requirements

Server PC

  • Windows 10 or later
  • Always-on — the server must be running for agents to report
  • Accessible on your local network (or via Cloudflare Tunnel for remote agents)

Agent PC

  • Windows 10 or later
  • Must be on the network you want to monitor
  • Administrator rights required for full device identification
  • Npcap (optional) — for passive traffic fingerprinting
  • Nmap (optional) — for deep OS fingerprinting on unknown devices

Setting up the server

Download NetwatchServer.exe from the Downloads page and run it on your server PC. No installation required — just double-click.

You should see the startup banner:

Netwatch Server v0.1.6
API available at http://0.0.0.0:5000
Status check: http://localhost:5000/api/status

Verify it's running by opening http://localhost:5000/api/status in a browser on the same PC.

💡 Keep this window open — closing it stops the server. For automatic startup on boot, add a shortcut to your Windows Startup folder.

Setting up an agent

Download NetwatchAgent.exe from the Downloads page. Right-click it and select Run as administrator.

On first run the setup wizard will ask for:

  • Server URL — the address of your Netwatch server (e.g. http://192.168.1.105:5000)
  • Location name — a display name for this network (e.g. Main Office)
  • Location ID — a unique identifier (e.g. main-office) — must match exactly what you enter in the dashboard
  • Subnet — the first three parts of your IP range (e.g. 192.168.1)
⚠ The Location ID must exactly match the ID you enter in the dashboard Locations tab. Spelling and capitalization both matter.

Settings are saved to netwatch-config.json in the same folder. Edit this file anytime to change settings without re-running the wizard.

Opening the dashboard

Open app.coreoutpost.com in any browser. On first launch you'll be asked for your server URL — enter the address of your Netwatch server.

For remote access (server on a different network) see the Remote access section.

Adding locations

After opening the dashboard go to the Locations tab and click Add Location. Enter the same Location ID you used during agent setup. Once saved the dashboard will start receiving device data from that agent within 30 seconds.

💡 Each browser or device you use the dashboard on has its own separate locations list — you'll need to add your locations on each device.

Remote access

For agents at remote locations to report to your server, the server needs to be accessible over the internet. The recommended approach is a free Cloudflare Tunnel:

  • Download cloudflared from github.com/cloudflare/cloudflared
  • Create a tunnel pointing to localhost:5000
  • Point a subdomain (e.g. netwatch.yourdomain.com) to the tunnel
  • Agents at remote locations use this URL as their server URL

The dashboard at app.coreoutpost.com can then connect to your tunnel URL from any browser anywhere.

Npcap & Nmap

Npcap

Npcap enables passive traffic fingerprinting — the agent captures DHCP, ARP and TCP packets to identify devices without actively scanning them. Install from npcap.com and check WinPcap API-compatible mode during installation.

Nmap

Nmap provides deep OS fingerprinting for devices the agent can't identify through other methods. Install from nmap.org using the Windows self-installer. The agent detects Nmap automatically at startup.

💡 Both Npcap and Nmap are optional. The agent works without them — just with reduced identification accuracy.

Config file

The agent saves its configuration to netwatch-config.json in the same folder as the executable. You can edit this file directly:

{
  "server_url": "http://192.168.1.105:5000",
  "location_id": "main-office",
  "location_name": "Main Office",
  "location_tag": "Local Network",
  "subnet": "192.168.1",
  "report_interval": 30
}

Delete this file and restart the agent to re-run the setup wizard.

Device identification

The agent uses a 10-layer pipeline to identify devices, running each method in priority order:

  • Scapy passive fingerprinting (DHCP, TCP/IP, ARP) — requires Npcap
  • mDNS/Bonjour discovery
  • SNMP querying
  • UPnP/SSDP description XML
  • HTTP banner grabbing
  • NetBIOS name resolution
  • DNS hostname resolution
  • MAC OUI vendor lookup
  • Port-based type detection
  • Name pattern matching
  • Nmap deep scan — only for devices still unidentified after all above

Stale agent detection

If an agent stops reporting (PC turned off, network issue, agent crashed), the server automatically marks all devices in that location as offline after 90 seconds of silence. The dashboard shows a red banner indicating which agent has gone silent and how long ago it last reported.

Once the agent resumes reporting, devices return to their correct online/offline status automatically.

Support

For help, questions or bug reports contact us at netwatch@coreoutpost.com.