TrustNoWire

Trust no wire -- including ours. Here's the proof.

Real-time network monitoring and threat detection for Windows. TrustNoWire watches every connection, every byte, and every process on your machine -- then shows you exactly what's happening.

Built with Tauri 2 (Rust backend) and React, it runs as a lightweight desktop app with packet capture, DNS logging, threat scoring, and Authenticode verification of every connecting process. Geo enrichment and VirusTotal scanning are opt-in — by default no remote-IP or file-hash data leaves your machine.

This source code is public so you can verify exactly what it does on your machine. A network monitor you can't audit is a network monitor you shouldn't trust.

Screenshots

Iron Man Theme

Expanded	Normal	Compact	Widget	Settings

Stealth Theme

Expanded	Normal	Compact	Widget	Settings

Cyberpunk Theme

Expanded	Normal	Compact	Widget	Settings

Light Theme

Expanded	Normal	Compact	Widget	Settings

Matrix Theme

Expanded	Normal	Compact	Widget	Settings

Features

• Live Connection Table -- Every active TCP connection (IPv4) with process name, remote IP, port, country (when geo enabled), and Authenticode signature verification. UDP and IPv6 connection tables are planned for v1.1.
• Packet Capture -- Real-time bandwidth monitoring via Npcap (IPv4 and IPv6, TCP and UDP). Per-connection byte counters are decoupled from the display so refresh cycles don't drop in-flight increments. Live sparkline graph in the header.
• DNS Logging -- Captures DNS queries and responses (UDP/53) parsed off the wire, with response IPs and TTLs. Domain → IP cache is bounded (LRU, 10k entries) so long sessions don't leak memory.
• Threat Scoring -- 0-100 risk score per connection, factoring process trust (Authenticode signer, known-binary allowlist, safe-pairing rules), traffic ratios, port standardness, and hosting-provider reputation keywords.
• VirusTotal Integration (opt-in) -- Paste an API key in Settings to enable. Auto-scans the binary file (SHA256) of any connection scoring ≥ 30 against VirusTotal's file-reputation database; right-click any connection for an on-demand scan. The API key persists across restarts in %APPDATA%/com.trustnowire.app/secrets.json and can be cleared from Settings.
• Geo Enrichment (opt-in) -- Disabled by default. Toggle it on in Settings → Capture Engine to look up country, organization, and ASN for each remote IP via ipinfo.io over HTTPS. A 30-day rolling rate limiter caps lookups at 49,000 (free-tier safe) and pauses for an hour if reached.
• Widget Mode -- Win7-gadget-style micro dashboard (200x290) showing live stats, bandwidth graph, and top threats at a glance
• System Tray -- Minimize to tray with tooltip, left-click restore, right-click menu
• 5 Themes -- Iron Man, Stealth, Cyberpunk, Light, Matrix
• 3 Display Modes -- Compact, Normal, Expanded
• Frameless Transparent Window -- Custom title bar, draggable, always-on-top option
• Admin Elevation -- Release builds auto-request Administrator via UAC manifest for full network visibility

System Requirements

• Windows 10 or 11 (64-bit)
• Npcap installed (required for packet capture)
• Administrator privileges (for raw packet capture and full process visibility)

Building from Source

Prerequisites

• Rust 1.77.2 or later
• Node.js 18 or later
• Npcap SDK -- extract to %USERPROFILE%\npcap-sdk\ (build.rs auto-detects Lib\x64\wpcap.lib)
• Npcap runtime installed on the machine

Build

cd trustnowire
npm install
npm run tauri build

The MSI installer, NSIS installer (.exe), and standalone executable will be in src-tauri/target/release/bundle/.

Note: use npm run tauri build (the canonical pipeline) for any release rebuild. Plain cargo build --release from src-tauri/ does not always re-trigger the frontend embed step, which can produce a binary that loads localhost:5173 instead of the bundled UI.

Code signing. Official LXB Studio releases are signed via Azure Trusted Signing. The build is wired through bundle.windows.signCommand in tauri.conf.json to invoke Sign-LxbFile.ps1; if AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET are present in the build environment, the bundler signs the inner exe, the MSI, and the NSIS installer automatically. Without those env vars, the script no-ops gracefully and the build produces unsigned artifacts — fine for local testing.

Development

npm install
npx tauri dev

Note: tauri dev runs without admin elevation. Some features (raw capture of SYSTEM processes) require running as Administrator.

Optional Setup

Both of these are opt-in. The app is fully functional without either — connection tracking, DNS log, threat scoring, packet capture all keep working.

VirusTotal API Key

1. Create a free account at virustotal.com and copy your API key from your profile.
2. Open TrustNoWire → Settings → VirusTotal Auto-Scan, paste the key, click SAVE.
3. The key is persisted to %APPDATA%/com.trustnowire.app/secrets.json and reloaded on launch. The Settings UI shows "Key saved" but never reveals the value back to the frontend; type a replacement to overwrite, or use CLEAR to remove.
4. Auto-scan is rate-limited to roughly 4 requests/minute (free-tier-safe) and only fires for connections scoring ≥ 30 on the threat meter. Manual scans (right-click → Scan with VirusTotal) bypass the auto-scan rate limit.

Geo Enrichment

Disabled by default. To enable: Settings → Capture Engine → toggle "Enable geo lookup". When on, every uncached remote IP is sent to ipinfo.io over HTTPS. Disable any time to return to fully offline operation; previously cached country/org data stays available, but no new lookups fire.

MaxMind GeoIP (Offline alternative — feature-gated)

If you'd rather not transmit IPs to ipinfo.io at all, MaxMind's offline databases work as a drop-in replacement (the geoip Cargo feature flag is reserved for this; full wiring is on the v1.1 roadmap):

1. Download GeoLite2-City.mmdb and GeoLite2-ASN.mmdb from MaxMind
2. Place them in the app data directory
3. Build with cargo build --features geoip (frontend still uses the same toggle)

Privacy

TrustNoWire is built on the premise that you should know exactly what your network monitor does with your data. Here's the full picture.

Network capture (Npcap, promiscuous mode)

The packet-capture engine opens the selected adapter in promiscuous mode. On a shared/Wi-Fi network this means the capture sees traffic destined for any device on the same broadcast domain — not just yours. DNS queries from a roommate's laptop on the same Wi-Fi can show up in the DNS log; their bandwidth contributes to the IN/OUT totals. On a switched/wired network this caveat doesn't apply (switches don't forward traffic to ports it isn't destined for).

Captured DNS data lives in memory only: a bounded LRU map (≤ 10,000 IP→hostname entries) plus a recent-queries log (≤ 500 entries). Nothing is written to disk and nothing is transmitted off the machine.

Geo enrichment (opt-in, HTTPS)

Disabled by default. When enabled in Settings, every uncached remote IP is sent to ipinfo.io over HTTPS to resolve country, organization, and ASN. ipinfo.io will see the list of remote IPs your machine connects to. A 30-day rolling counter caps lookups at 49,000 and pauses for an hour when reached.

VirusTotal (opt-in, requires your API key)

Disabled until you paste a key into Settings. Once enabled, threat-flagged processes (score ≥ 30) are auto-scanned: TrustNoWire reads the binary, computes its SHA256, and queries https://www.virustotal.com/api/v3/files/{hash}. VirusTotal sees the hash and your API key — never the binary itself, never your IP-level connection data, never the destinations you contact. Your API key persists locally (%APPDATA%/com.trustnowire.app/secrets.json) and never round-trips back to the frontend.

What we don't do

• No telemetry. No analytics calls. No crash-reporting beacon. No first-run "phone home".
• No auto-update channel. Updates are manual — re-download a signed installer.
• No ads, no tracking pixels, no third-party SDKs. The only network calls TrustNoWire makes on its own are the two opt-in lookups documented above. Everything else you see in the connection list is traffic your other apps generated, which is the whole point.

The two opt-in network calls are the only routes any data leaves your machine. Verify it yourself — both call sites are at src-tauri/src/intel/geoip.rs and src-tauri/src/intel/virustotal.rs.

Architecture

src-tauri/src/
  analysis/     -- DNS parsing, process resolution (sysinfo + WMI fallback),
                   threat scoring. tls.rs is a stub (JA3 fingerprinting on the
                   v1.1 roadmap).
  capture/      -- Npcap packet capture (IPv4 + IPv6, TCP + UDP). diff.rs queries
                   the OS connection table (TCP/IPv4 only today; UDP and IPv6
                   tables on the v1.1 roadmap). etw.rs is a stub.
  intel/        -- GeoIP via ipinfo.io HTTPS, VirusTotal v3 client. asn.rs and
                   reputation.rs are stubs (offline ASN + IP reputation feeds
                   on the v1.1 roadmap).
  models/       -- Connection, DnsEntry, ProcessInfo data structures
  commands.rs   -- Tauri IPC command handlers
  state.rs      -- Shared application state (atomic counters, LRU caches,
                   connection table, traffic counters decoupled from display)
  lib.rs        -- App setup, system tray, persistent-store init,
                   refresh-thread bootstrap

src/
  components/   -- React UI components (Header, ConnectionList, ThreatLog, etc.)
  hooks/        -- Data polling hooks (useConnections, useBandwidth, useDns)
  utils/        -- Threat scoring, byte formatting, country codes
  themes/       -- 5 color themes

See CHANGELOG.md for the per-release breakdown.

License

TrustNoWire is source-available under the Business Source License 1.1.

You can read, audit, and build the code for personal use. The license converts to MIT on 2030-02-09. See LICENSE.md for full terms.

Author

Win 10/11 exe/msi installers @ TrustNoWire Built by LXB Studio LLC