Local network anomaly monitor for macOS. Detects suspicious outbound connections using a local LLM with tool calling, RAG short-term memory, a native menu bar agent, and a dark-theme web review panel — everything runs on-device, no cloud required.

lsof (60s) ──► anomalies.log ──► analyze.py (5 min) ──► notifications
                                       │                       │
                               embed + RAG lookup         panel UI
                               (nomic-embed-text)    localhost:6543
                                       │
                               Ollama LLM (tool calls)
                               granite4.1:3b / llama3.2 / …
                               ├─ send_notification   → queues for review
                               ├─ auto_resolve        → autonomous confirm/reject
                               └─ mark_as_normal      → adds to baseline

• macOS 13 Ventura or later
• Ollama (at least one tool-capable model)
• Python 3.10+ — Homebrew recommended (brew install python)
• Xcode Command Line Tools — xcode-select --install

git clone https://github.com/Algiras/netmon ~/.netmon
bash ~/.netmon/install.sh

install.sh:

1. Checks dependencies (python3, ollama, xcrun)
2. Installs Python packages (anthropic, mcp)
3. Pulls granite4.1:3b and nomic-embed-text-v2-moe from Ollama
4. Writes LaunchAgent plists to ~/Library/LaunchAgents/
5. Builds the Swift menu bar app and loads all agents

After install you'll see ⚡ in your menu bar and the panel at http://localhost:6543.

The panel API is token-protected. The token is auto-generated at ~/.netmon/panel_token on first run — the menu bar app reads it automatically. For curl access use $(cat ~/.netmon/panel_token).

netmon uses two separate models, both configurable from the panel:

The panel's model bar shows only models that support the required capability (tools for LLM, embedding for vectors). Any Ollama model works.

Note: Changing the embedding model clears all stored embeddings — the panel shows a confirmation dialog before doing so. Vectors computed with different models are incompatible.

Switch via API:

TOKEN=$(cat ~/.netmon/panel_token)

# Change LLM
curl -X POST http://localhost:6543/config \
  -H "Host: localhost:6543" -H "X-Netmon-Token: $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"llm_model": "llama3.2:3b"}'

# Change embedding model (clears stored vectors)
curl -X POST http://localhost:6543/config \
  -H "Host: localhost:6543" -H "X-Netmon-Token: $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"embed_model": "nomic-embed-text:latest", "_clear_embeddings": true}'

Tested LLMs: granite4.1:3b · llama3.2:3b · qwen3.5:2b · gemma4:31b-cloud · mistral-large-3:675b-cloud

Toggle via ⚡ menu bar → 👁 Review Mode / 🤖 Autonomous: ON, or the green button in the panel.

The LLM is given three tools:

No Ollama required — all network calls are mocked.

cd ~/.netmon && python3 -m pytest tests/ -v
# 31 passed

bash ~/.netmon/build.sh

~/.netmon/anomalies.log    # raw lsof detections
~/.netmon/analysis.log     # LLM decisions and summaries
~/.netmon/menubar.err      # Swift app crash log
~/.netmon/panel.log        # HTTP access log

GitHub Actions builds a signed DMG on every push to main (artifact) and on version tags (GitHub Release).

git tag v1.0.0 && git push --tags

The DMG contains NetmonMenuBar.app with a drag-to-/Applications installer layout.