manbo/WTFnet
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
7f6ee839b2d28ffda2df8ef17123e03f8779109e
WTFnet/README.md
DaZuo0122 cfa96bde08 Add: dns leak detection
2026-01-17 18:45:24 +08:00

7.0 KiB
Raw Blame History

WTFnet

WTFnet is a pure CLI toolbox for diagnosing network problems on Linux and Windows.

Highlights

  • System snapshot: interfaces, IPs, routes, DNS config.
  • Ports, neighbors, and trusted root certificates.
  • Probing: ping, tcping, traceroute (best-effort).
  • DNS: query/detect/watch with GeoIP, DoT/DoH, and SOCKS5 support.
  • DNS leak detection with policy profiles and privacy modes (best-effort).
  • GeoIP offline lookup via GeoLite2 Country/ASN.
  • Subnet calculator: subnet/contains/overlap/summarize.
  • Discover: mDNS/SSDP plus LLMNR/NBNS.

Quickstart

cargo run -p wtfnet-cli -- sys ifaces
cargo run -p wtfnet-cli -- dns query example.com A
cargo run -p wtfnet-cli -- calc subnet 192.168.1.10 255.255.255.0

Usage examples

# System snapshot
wtfn sys ifaces
wtfn sys ip --all
wtfn sys route --ipv4
wtfn sys dns

# Ports and neighbors
wtfn ports listen --tcp
wtfn ports who 443
wtfn neigh list --ipv6

# GeoIP and probing
wtfn geoip lookup 8.8.8.8
wtfn probe ping example.com --count 4
wtfn probe tcping example.com:443 --count 4
wtfn probe tcping example.com:443 --socks5 socks5://127.0.0.1:9909
wtfn probe trace example.com:443 --max-hops 20

# DNS
wtfn dns query example.com A
wtfn dns query example.com AAAA --server 1.1.1.1
wtfn dns query example.com A --transport doh --server 1.1.1.1 --tls-name cloudflare-dns.com
wtfn dns query example.com A --transport dot --server 1.1.1.1 --tls-name cloudflare-dns.com --socks5 socks5://127.0.0.1:9909
wtfn dns detect example.com --transport doh --servers 1.1.1.1 --tls-name cloudflare-dns.com
wtfn dns watch --duration 10s --filter example.com
wtfn dns leak status
wtfn dns leak watch --duration 10s --profile proxy-stub
wtfn dns leak report report.json

# TLS
wtfn tls handshake example.com:443
wtfn tls handshake example.com:443 --socks5 socks5://127.0.0.1:9909
wtfn tls cert example.com:443
wtfn tls verify example.com:443
wtfn tls alpn example.com:443 --alpn h2,http/1.1

# Discover
wtfn discover mdns --duration 3s
wtfn discover ssdp --duration 3s
wtfn discover llmnr --duration 3s
wtfn discover nbns --duration 3s

# Diag
wtfn diag --out report.json --json
wtfn diag --bundle report.zip

# Calc
wtfn calc contains 192.168.0.0/16 192.168.1.0/24
wtfn calc overlap 10.0.0.0/24 10.0.1.0/24
wtfn calc summarize 10.0.0.0/24 10.0.1.0/24

Supported flags

Global flags:

  • --json / --pretty
  • --no-color / --quiet
  • -v / -vv / --verbose
  • --log-level <error|warn|info|debug|trace>
  • --log-format <text|json>
  • --log-file <path>
  • NETTOOL_LOG_FILTER or RUST_LOG can override log filters (ex: maxminddb::decoder=debug)

Command flags (implemented):

  • sys ip: --all, --iface <name>
  • sys route: --ipv4, --ipv6, --to <ip>
  • ports listen: --tcp, --udp, --port <n>
  • neigh list: --ipv4, --ipv6, --iface <name>
  • ports conns: --top <n>, --by-process
  • cert baseline: <path>
  • cert diff: <path>
  • probe ping: --count <n>, --timeout-ms <n>, --interval-ms <n>, --no-geoip
  • probe tcping: --count <n>, --timeout-ms <n>, --socks5 <url>, --prefer-ipv4, --no-geoip
  • probe trace: --max-hops <n>, --per-hop <n>, --timeout-ms <n>, --udp, --port <n>, --rdns, --no-geoip
  • dns query: --server <ip[:port]>, --transport <udp|tcp|dot|doh>, --tls-name <name>, --socks5 <url>, --prefer-ipv4, --timeout-ms <n>
  • dns detect: --servers <csv>, --transport <udp|tcp|dot|doh>, --tls-name <name>, --socks5 <url>, --prefer-ipv4, --repeat <n>, --timeout-ms <n>
  • dns watch: --duration <Ns|Nms>, --iface <name>, --filter <pattern>
  • dns leak status: --profile <full-tunnel|proxy-stub|split>, --policy <path>
  • dns leak watch: --duration <Ns|Nms>, --iface <name>, --profile <full-tunnel|proxy-stub|split>, --policy <path>, --privacy <full|redacted|minimal>, --out <path>, --summary-only
  • dns leak watch: --iface-diag (prints capture-capable interfaces)
  • dns leak report: <path>, --privacy <full|redacted|minimal>
  • http head|get: --timeout-ms <n>, --follow-redirects <n>, --show-headers, --show-body, --max-body-bytes <n>, --http1-only, --http2-only, --http3 (feature http3), --http3-only (feature http3), --geoip, --socks5 <url>
  • tls handshake|cert|verify|alpn: --sni <name>, --alpn <csv>, --timeout-ms <n>, --insecure, --socks5 <url>, --prefer-ipv4, --show-extensions, --ocsp
  • discover mdns: --duration <Ns|Nms>, --service <type>
  • discover ssdp: --duration <Ns|Nms>
  • discover llmnr: --duration <Ns|Nms>, --name <host>
  • discover nbns: --duration <Ns|Nms>
  • diag: --out <path>, --bundle <path>, --dns-detect <domain>, --dns-timeout-ms <n>, --dns-repeat <n>

GeoIP data files

GeoLite2 mmdb files should live in data/. Lookup order:

  1. NETTOOL_GEOIP_COUNTRY_DB / NETTOOL_GEOIP_ASN_DB
  2. data/ next to the CLI binary
  3. data/ in the current working directory

Build and package

cmake -S . -B build
cmake --build build
cmake --build build --target package

Install:

cmake --build build --target install

HTTP/3 (experimental)

HTTP/3 support is feature-gated and incomplete. Do not enable it in production builds yet.

To enable locally for testing:

cargo run -p wtfnet-cli --features wtfnet-http/http3 -- http head https://cloudflare-quic.com --http3

Roadmap

v0.1 (MVP)

  • sys: ifaces/ip/route/dns
  • ports: listen/who
  • probe: ping + tcping
  • calc: subnet/contains/overlap
  • basic logging + --json everywhere

v0.2 (current requirements)

  • dns: query + detect + watch (best-effort)
  • geoip: local Country+ASN mmdb integration
  • http: head/get (HTTP/2 required; HTTP/3 best-effort optional)
  • tls: handshake/verify/cert/alpn
  • neigh: ARP/NDP snapshot
  • discover: mdns + ssdp (bounded)
  • diag: bundle export (zip)

v0.3 (future upgrades)

  • richer trace output (reverse lookup, per-hop loss, per-hop stats)
  • HTTP timing accuracy (connect/tls)
  • TLS extras: OCSP stapling indicator, richer cert parsing
  • ports conns improvements (top talkers / summary)
  • better baseline/diff for system roots
  • optional LLMNR/NBNS discovery
  • optional HTTP/3 (feature-gated; experimental, incomplete)

v0.4 (current requirements)

  • dns leak detection (passive watch + report)
  • process attribution (best-effort)
  • policy profiles + privacy modes

Current stage

Implemented:

  • Core CLI with JSON output and logging.
  • sys, ports, neigh, cert roots.
  • geoip, probe, dns query/detect/watch.
  • http head/get with timing and GeoIP.
  • tls handshake/verify/cert/alpn.
  • DoT/DoH + SOCKS5 proxy support.
  • discover mdns/ssdp/llmnr/nbns.
  • dns leak detection (status/watch/report).
  • diag report + bundle.
  • calc subcrate with subnet/contains/overlap/summarize.
  • CMake/Makefile build + package + install targets.
  • Basic unit tests for calc and TLS parsing.

In progress:

  • dns leak: DoH heuristic classification (optional).
  • dns leak: Leak-D mismatch correlation (optional).

See docs/implementation_status.md for a design-vs-implementation view.

License

MIT (see LICENSE).

Reference in New Issue View Git Blame Copy Permalink