Ingest
Upload bundles
Upload configs, show outputs and zipped bundles via drag-and-drop or paste. Filename detection, content sniffing and gzip storage keep artifacts traceable.
NetDoctor ingests switch and firewall configurations, detects rogue devices via MAC intelligence, runs deterministic rules and step-by-step playbooks - producing findings with cited evidence. Fully offline, read-only, zero trust in AI.
Devices are queried only through a fixed catalog of safe, read-only intents. No user-typed command strings ever reach the wire.
Every finding carries provenance: which artifact, which line, which parsed field, which baseline value. No finding without evidence.
The full diagnostic engine runs from uploaded files - no internet, no AI required. AI is an explanation layer, never truth.
Same inputs, same outputs. Rules operate on normalized snapshots and derived facts, not on raw text grep.
Every feature listed below is implemented, tested and shipping.
Upload configs, show outputs and zipped bundles via drag-and-drop or paste. Filename detection, content sniffing and gzip storage keep artifacts traceable.
Collect live device output through Scrapli async SSH with parallel collection: baseline, topology, full and troubleshoot profiles. Per-device locks, per-site concurrency caps, per-command retries.
27 structured parsers normalize Cisco IOS / IOS-XE state: config, inventory, VLANs, trunks, interfaces, CDP, LLDP, STP, routes, MAC, ARP, PoE, environment and SNMP.
Parsed data is merged into a canonical JSON snapshot, separating configured and observed state with consistency flags when they disagree.
Role, uplink, stack, gateway and redundancy facts are computed once so every rule reads the same normalized model.
Built-in and organization rules cover STP/VTP hygiene, VLANs, trunks, AAA, SNMP, NTP, DHCP snooping and DAI without dynamic eval.
Baselines merge built-in, global, environment, site, role and device layers, with per-rule overrides and a clear winning source.
Every finding carries artifact ID, parsed field, baseline source and predicate inputs, so reports can show exactly why it fired.
Per-device dashboard shows summary, findings, interfaces, VLANs, neighbors and raw artifacts with searchable operational context.
Site topology renders role-based hierarchy, port-channels, clusters and focus paths, with neighbor links kept tied to evidence.
Cross-device findings are deduplicated by rule, device, interface and VLAN, then grouped into severity and critical-path views.
Browse and edit baseline policy in the UI, previewing which layer wins before a check is applied to a device.
A local LLM offers plain-language commentary on findings - no data ever leaves the machine. Disabled by default, never a source of truth.
Collection and analysis jobs track who ran what, profile, target, status and errors in a deterministic state machine.
CSV and JSON exports include findings and snapshots with Cisco-aware secret redaction before external sharing.
Offline IEEE OUI database, vendor classification, MAC observation tracking, flap detection and rogue device analysis. Baseline-driven - vendor name alone never triggers high-severity findings.
Step-by-step diagnostic playbooks mapped to findings. 8 playbooks with 69 individual checks covering port issues, VLAN, STP, EtherChannel, PoE and AP verification.
SSH credentials encrypted at rest with AES-256-GCM, PBKDF2-SHA256 key derivation (100k iterations). Passwords never returned in API responses. Per-profile isolation.
Cron-based automated SSH collection with hierarchical targeting: global, country, site, sub-site or specific devices. 7 presets plus custom cron, with per-device locking and concurrency caps.
Sites auto-positioned on a world map from hostname conventions and an offline city coordinate database. Golden-angle spiral offsets prevent overlap. Admins can drag markers to override.
7-tab admin dashboard: system health, RBAC with 4 roles and per-user permission overrides, credential vault, backup scheduler, security audit with forensic fingerprinting, and brute-force lockout.
WebSocket-streamed SSH output during collection. Watch every command execute in real time, per device, with status indicators and per-command progress tracking.
Scheduled PostgreSQL backups via pg_dump with gzip compression. Configurable retention policy (default 30 days), backup history with size and age, and one-click manual backup.
Golden fixtures and regression tests pin parser output, derived facts and rule behavior across 689 automated checks.
Upload artifacts or run a read-only SSH collection profile against live devices. Files are deduplicated, gzipped, and detected by filename + content.
Each artifact runs through its dedicated parser. Outputs are
dataclasses with explicit fields - never raw strings. Parser
status: ok / partial / failed / empty / raw_only.
Parsers feed the snapshot builder. Configured vs observed values merge into a canonical JSON model with consistency flags. Derived facts are computed once.
Deterministic rule predicates run against the snapshot, derived facts and 6-layer baseline. Each finding is built with its evidence payload.
Dashboard, snapshot detail, topology graph, exports. AI explanations on demand for context - never replacing the deterministic verdict.
NetDoctor builds a live topology graph from CDP, LLDP and port-channel data without a single SNMP poll. Click any device, get evidence-anchored findings inline.
Devices placed by inferred role (core / distribution / access / endpoint) using the same engine that powers the rules.
Aggregated members deduplicated and rendered as parallel lines with the operational port-channel badge.
Phones, APs, cameras, HMIs, printers, servers - classified from CDP capabilities and the offline IEEE OUI database.
Severity counts inline. Click a device for full evidence, recommendation and impact for every finding.
A single typo in configuration mode can take an enterprise offline. That's why the tool has no configuration mode.
configure terminalwrite, reload, clear, erase, delete, formatdebug commandsBefore any artifact, finding or snapshot can leave the local perimeter (export, AI prompt, share link), the redactor strips:
Built in order: engine → MAC intelligence → routing → cross-device path → FortiGate → AI explanations. Each phase ships with tests before the next begins.
← Drag or scroll to explore all phases →
Python 3.11+ · FastAPI · SQLAlchemy async · Alembic · Scrapli (async SSH) · pyATS-friendly parsers
React 19 · Vite · TanStack Query · Tailwind CSS · TypeScript
PostgreSQL 16 · Redis 7 · Filesystem (gzip artifacts)
Docker Compose · Single-binary friendly · Air-gapped friendly
689 unit / integration tests · Golden fixture tests · pytest
Local LLM only · zero data egress · explanations only · never source of truth
No. There is no configuration mode and there are no write commands in the catalog. The platform is read-only by architecture, not by policy.
No. The entire platform - including the optional AI explanation layer - runs locally. No data ever leaves the machine, no external API calls, no telemetry.
Yes. Docker Compose deployment + offline OUI database + offline rule packs. No phone-home telemetry.
Rules read normalised facts, not raw text. Derived facts (interface role, management SVI, stack topology) cap most false-positive sources. Baselines override severities and thresholds at any of 6 layers.
It is explicit: rules that need it are listed under blocked by missing data, with the exact command to collect it. Missing data is never treated as healthy.
Security risk. Sending device configs to a cloud LLM leaks topology, credentials and policy to a third party. NetDoctor uses a local LLM only - nothing leaves the machine. And AI is restricted to plain-language commentary; verdicts always come from deterministic rules with cited evidence.
Today: Cisco IOS / IOS-XE switches (L2 and L3) with full MAC intelligence and rogue device detection. Next: Cisco routers (RIB / BGP / CEF). Then: FortiGate firewalls, Palo Alto, Juniper Junos.
Baseline files: built_in → global → environment → site → role → device.
Never hardcoded in source. Every value emitted in evidence cites
its baseline layer.