Ingest
Upload bundles
Upload configs, show outputs and zipped bundles via drag-and-drop or paste. Filename detection, content sniffing and gzip storage keep artifacts traceable.
NetDoctor ingests switch, router and firewall configurations, detects rogue devices via MAC intelligence, runs deterministic rules and step-by-step playbooks - producing findings with cited evidence. Fully offline, read-only, zero trust in AI.
Devices are queried only through a fixed catalog of safe, read-only intents. No user-typed command strings ever reach the wire.
Every finding carries provenance: which artifact, which line, which parsed field, which baseline value. No finding without evidence.
The full diagnostic engine runs from uploaded files - no internet, no AI required. AI is an explanation layer, never truth.
Same inputs, same outputs. Rules operate on normalized snapshots and derived facts, not on raw text grep.
Every feature listed below is implemented, tested and shipping.
Upload configs, show outputs and zipped bundles via drag-and-drop or paste. Filename detection, content sniffing and gzip storage keep artifacts traceable.
Collect live device output through Scrapli async SSH with parallel collection: baseline, topology, full and troubleshoot profiles. Per-device locks, per-site concurrency caps, per-command retries.
42 structured parsers normalize Cisco IOS / IOS-XE state: config, inventory, VLANs, trunks, interfaces, CDP, LLDP, STP, routes, MAC, ARP, PoE, environment and SNMP.
Parsed data is merged into a canonical JSON snapshot, separating configured and observed state with consistency flags when they disagree.
Role, uplink, stack, gateway and redundancy facts are computed once so every rule reads the same normalized model.
Built-in and organization rules cover STP/VTP hygiene, VLANs, trunks, AAA, SNMP, NTP, DHCP snooping and DAI without dynamic eval.
Baselines merge built-in, global, environment, site, role and device layers, with per-rule overrides and a clear winning source.
Every finding carries artifact ID, parsed field, baseline source and predicate inputs, so reports can show exactly why it fired.
Per-device dashboard shows summary, findings, interfaces, VLANs, neighbors and raw artifacts with searchable operational context.
Site topology renders role-based hierarchy, port-channels, clusters and focus paths, with neighbor links kept tied to evidence.
Cross-device findings are deduplicated by rule, device, interface and VLAN, then grouped into severity and critical-path views.
Browse and edit baseline policy in the UI, previewing which layer wins before a check is applied to a device.
A local LLM offers plain-language commentary on findings - no data ever leaves the machine. Disabled by default, never a source of truth.
Collection and analysis jobs track who ran what, profile, target, status and errors in a deterministic state machine.
CSV and JSON exports include findings and snapshots with Cisco-aware secret redaction before external sharing.
Offline IEEE OUI database, vendor classification, MAC observation tracking, flap detection and rogue device analysis. Baseline-driven - vendor name alone never triggers high-severity findings.
Step-by-step diagnostic playbooks mapped to findings. 10 playbooks with 118 individual checks covering port issues, VLAN, STP, EtherChannel, PoE, AP, TACACS and compliance.
SSH credentials encrypted at rest with AES-256-GCM, PBKDF2-SHA256 key derivation (100k iterations). Passwords never returned in API responses. Per-profile isolation.
Cron-based automated SSH collection with hierarchical targeting: global, country, site, sub-site or specific devices. 7 presets plus custom cron, with per-device locking and concurrency caps.
Sites auto-positioned on a world map from hostname conventions and an offline city coordinate database. Golden-angle spiral offsets prevent overlap. Admins can drag markers to override.
7-tab admin dashboard: system health, RBAC with 4 roles and per-user permission overrides, credential vault, backup scheduler, security audit with forensic fingerprinting, and brute-force lockout.
WebSocket-streamed SSH output during collection. Watch every command execute in real time, per device, with status indicators and per-command progress tracking.
Scheduled PostgreSQL backups via pg_dump with gzip compression. Configurable retention policy (default 30 days), backup history with size and age, and one-click manual backup.
Golden fixtures and regression tests pin parser output, derived facts and rule behavior across 1 781 automated checks.
Upload artifacts or run a read-only SSH collection profile against live devices. Files are deduplicated, gzipped, and detected by filename + content.
Each artifact runs through its dedicated parser. Outputs are
dataclasses with explicit fields - never raw strings. Parser
status: ok / partial / failed / empty / raw_only.
Parsers feed the snapshot builder. Configured vs observed values merge into a canonical JSON model with consistency flags. Derived facts are computed once.
Deterministic rule predicates run against the snapshot, derived facts and 6-layer baseline. Each finding is built with its evidence payload.
Dashboard, snapshot detail, topology graph, exports. AI explanations on demand for context - never replacing the deterministic verdict.
NetDoctor builds a live topology graph from CDP, LLDP and port-channel data without a single SNMP poll. Click any device, get evidence-anchored findings inline.
Devices placed by inferred role (core / distribution / access / endpoint) using the same engine that powers the rules.
Aggregated members deduplicated and rendered as parallel lines with the operational port-channel badge.
Phones, APs, cameras, HMIs, printers, servers - classified from CDP capabilities and the offline IEEE OUI database.
Severity counts inline. Click a device for full evidence, recommendation and impact for every finding.
One-click high-resolution PNG export (3x scale) or clean SVG for documentation, change requests and management reports. Every export captures the current layout, collapsed state and finding badges exactly as displayed.
Pan, zoom (0.05x to 8x), drag individual nodes with optional grid snap. Multi-select with rubber-band selection. Collapse subtrees with the ± button. Save and load named layout profiles. Positions persist across sessions.
Sites auto-positioned on a Leaflet/OSM map from hostname conventions and an offline city coordinate database. Pulsing markers, cluster grouping at low zoom, click to drill into the site graph. Admins can drag markers to override positions.
CDP/LLDP neighbors without a local snapshot appear as ghost nodes (dashed outline). Endpoints with the same role are grouped into expandable clusters with a +N badge. Click a cluster to fan out individual members.
39,201 IEEE OUI entries. 590 curated vendor overrides. 130+ classification patterns. Completely offline — no internet required, ever.
Every MAC address is resolved against the full IEEE OUI registry — 39,201 entries compressed to 318 KB, loaded in ~80 ms. Two-tier architecture: 590 hand-curated vendor type overrides checked first, then auto-classification with confidence scoring from 130+ regex patterns. Cisco, Juniper, Arista, Fortinet, Hikvision, Yealink, Xerox and hundreds more — each with a device type and confidence score.
12 canonical device types: network (switches, routers,
firewalls, APs), phone (VoIP), printer,
camera (IP/NVR), endpoint (laptops, desktops,
mobiles), server, virtualization (VMware,
Hyper-V, KVM), firewall, wireless_ap,
iot (industrial, sensors, UPS) and more. Ambiguous
vendors (Cisco = switch or phone? HP = printer or server?) return
possible_types for downstream rules to refine using
interface role, baseline and history.
15 deterministic rules (ROGUE-001 through ROGUE-015) analyse every access port. Unauthorized mini-switches on user ports, network vendor MACs where only endpoints belong, unknown OUI on secured ports, MAC flapping from syslog, port-security violations and 802.1X/MAB failures. Vendor name alone never triggers a high-severity finding — every rule requires corroborating evidence from interface role, baseline and observed state.
Not every multi-MAC access port is a rogue switch. The engine recognizes: phone + PC pairs (downgrades to info, recommends voice VLAN), wireless AP in bridge mode (AP + wireless clients on one port, ≤20 MACs), camera clusters (PoE camera switch / NVR uplink, ≥50% camera OUI), and multi-NIC servers (sequential same-OUI MACs within 8 addresses). Each suppression is explained and logged.
Every MAC is tracked per device: first seen, last seen, observation count, current interface, previous interfaces. When a MAC moves between ports on the same switch, the engine generates an alert with from/to interfaces and timestamp. Full history is persisted in PostgreSQL with configurable retention (90 days default).
Dual detection: MAC table analysis finds the same MAC learned on multiple interfaces simultaneously (confidence 0.90), and syslog parsing catches Cisco SW_MATM / MACFLAP messages with interface pairs (confidence 0.85). Virtual MACs are excluded: HSRP, VRRP, GLBP, STP, LLDP, LACP, multicast and broadcast.
Detects the same MAC address active at two or more sites simultaneously. Severity scales with the time gap: under 1 minute = critical (impossible travel / MAC spoofing), 1 hour = high, 6 hours = medium. Virtual MAC protocols and multicast are excluded. Site extraction uses hostname parsing — no hardcoded site names.
Every interface has role-based expectations: access ports allow 1 MAC, voice ports allow 2, trunks 256, uplinks unlimited. Organization baselines can override expected vendor types, maximum MAC counts and known MAC allowlists per interface. Violations are measured against the baseline, not against arbitrary thresholds. Uplinks, etherchannel members, AP trunks and server trunks are automatically excluded from rogue checks.
SSH collects a point-in-time snapshot. Telemetry adds the dimension of time: real-time counters, async events, and change detection that triggers re-analysis automatically.
Authenticated, encrypted polling (SHA + AES-128) with configurable intervals. Interface counters (64-bit HC), CPU, memory, temperature, fan status, MAC table, ARP table, STP topology, VLANs, CDP/LLDP neighbors, port-security violations — all from standard and Cisco enterprise MIBs.
Async event receiver on UDP 162 / 1162. The device pushes events the moment they happen — no polling delay. Link up/down, cold start, config changes, STP topology changes, port-security violations, err-disable events. SNMPv3 informs with acknowledgement guarantee.
UDP 514, TCP 514 and TLS 6514 receiver. Every switch and firewall already speaks syslog — no agent, no license. 8 severity levels from emergency to debug. Config changes, link events, STP reconvergence, port-security violations, DHCP snooping, ACL hits — all captured, parsed and correlated with device snapshots.
The missing piece between polling and continuous assurance. When a trap or syslog event signals a meaningful change (config saved, link flap, STP reconvergence), NetDoctor automatically triggers a targeted SSH re-collection of the affected artifacts — and re-runs the rule engine. The finding appears in the dashboard within seconds of the event, not at the next scheduled poll.
For IOS-XE 16.10+, NX-OS and IOS-XR: sub-second push-model streaming over HTTP/2 with Protocol Buffers. Interface counters every 1 second, CPU every 5 seconds, routing table changes in real time. No polling overhead, no SNMP limitations. The highest-fidelity data source for modern Cisco platforms.
Structured XML/JSON data over SSH (port 830) and HTTPS (port 443) using YANG models. Atomic reads with candidate configs, operational data stores, and event notifications. The programmatic alternative to CLI scraping — available on IOS-XE, FortiGate, Junos, Arista EOS and most modern platforms.
Design principle: Every telemetry source feeds the same normalized snapshot that powers the rule engine. SSH, SNMP, syslog and future gRPC data all converge into a single deterministic pipeline. No separate dashboards, no data silos — one engine, one truth.
A single typo in configuration mode can take an enterprise offline. That's why the tool has no configuration mode.
configure terminalwrite, reload, clear, erase, delete, formatdebug commandsBefore any artifact, finding or snapshot can leave the local perimeter (export, AI prompt, share link), the redactor strips:
Built in order: engine → MAC intelligence → routing → cross-device path → FortiGate → AI explanations. Each phase ships with tests before the next begins.
← Drag or scroll to explore all phases →
Python 3.11+ · FastAPI · SQLAlchemy async · Alembic · Scrapli (async SSH) · pyATS-friendly parsers
React 19 · Vite · TanStack Query · Tailwind CSS · TypeScript
PostgreSQL 16 · Redis 7 · Filesystem (gzip artifacts)
Docker Compose · Single-binary friendly · Air-gapped friendly
1 781 unit / integration tests · Golden fixture tests · pytest
Local LLM only · zero data egress · explanations only · never source of truth
No. There is no configuration mode and there are no write commands in the catalog. The platform is read-only by architecture, not by policy.
No. The entire platform - including the optional AI explanation layer - runs locally. No data ever leaves the machine, no external API calls, no telemetry.
Yes. Docker Compose deployment + offline OUI database + offline rule packs. No phone-home telemetry.
Rules read normalised facts, not raw text. Derived facts (interface role, management SVI, stack topology) cap most false-positive sources. Baselines override severities and thresholds at any of 6 layers.
It is explicit: rules that need it are listed under blocked by missing data, with the exact command to collect it. Missing data is never treated as healthy.
Security risk. Sending device configs to a cloud LLM leaks topology, credentials and policy to a third party. NetDoctor uses a local LLM only - nothing leaves the machine. And AI is restricted to plain-language commentary; verdicts always come from deterministic rules with cited evidence.
Today: Cisco IOS / IOS-XE switches (L2 and L3) with full MAC intelligence and rogue device detection. Next: Cisco routers (RIB / BGP / CEF). Then: FortiGate firewalls, Palo Alto, Juniper Junos.
Baseline files: built_in → global → environment → site → role → device.
Never hardcoded in source. Every value emitted in evidence cites
its baseline layer.