EtherApe: Visual Traffic Maps for When You Need to See the Flow
What Is It?
EtherApe is a real-time network visualization tool built for admins who want to see what’s happening across the wire — not just read about it. It creates live, animated maps of network traffic, showing which nodes are talking, how much, and over which protocols.
It’s inspired by tools like etherman, but modernized for today’s Linux environments. Interfaces light up with color-coded flows, and node size reflects current load. It’s not a full packet analyzer — it’s about visual context. Who’s chatting with who, how often, and using what. If you’re diagnosing chatterstorms, suspicious broadcasts, or just trying to make sense of a noisy VLAN — EtherApe makes it visible.
Key Features
| Feature | Why It’s Useful in Practice |
| Live Traffic Graphs | Real-time node and link display, with animated flows |
| Protocol Decoding | Shows traffic by layer (IP, TCP, UDP, ARP, etc.) |
| Color-Coded Visualization | Different colors for different protocols — instantly readable |
| Interface Selection | Choose exactly which NIC to listen on |
| Packet Capture Filters | Supports BPF filters (like tcpdump) to narrow focus |
| IPv6 Support | Modern stack compatibility out of the box |
| Rootless Mode (Limited) | Can run without root using setcap for limited capture ability |
| Export Options | Save snapshots as images or export data to XML |
How It Works
Under the hood, EtherApe uses libpcap to sniff packets from a selected network interface. It parses headers to extract source/destination IPs, port numbers, and protocol types. This data is then turned into a visual graph — nodes represent hosts, lines represent active flows, and the thickness of the line shows how much data is moving.
Everything is updated in near real-time. Nodes grow or shrink depending on how active they are. Protocols show up in different colors, so HTTP looks different from DNS, which looks different from SSH. You can pause the graph, clear the data, or zoom in on specific flows.
Unlike tools like Wireshark, EtherApe doesn’t show payloads or decode application data. It’s built for visual network awareness, not forensic analysis.
Installation (Debian/Ubuntu)
sudo apt update
sudo apt install etherape
To run it with capture permissions (without sudo):
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/etherape
etherape
Or run it with full root rights:
sudo etherape
Other distributions (Fedora, Arch) have EtherApe in their standard repos. It’s a GTK application, so a desktop environment is required.
Where It Makes a Difference
– Tracing sudden traffic spikes across a subnet visually, rather than by log
– Spotting unexpected hosts talking over unknown ports
– Demonstrating broadcast storms or loop issues to non-technical stakeholders
– Validating VLAN segmentation (who sees who?)
– Creating visual snapshots for documentation or incident reports
Compared to Similar Tools
| Tool | What It Does | EtherApe’s Niche |
| Wireshark | Deep packet inspection | EtherApe offers visual flow context instead |
| ntopng | Web-based analytics and flow stats | EtherApe is local, fast, and more visual |
| Netdiscover | ARP-based live host discovery | EtherApe adds protocol and volume information |
| EtherAreal | Similar idea, less maintained | EtherApe is stable, active, and more flexible |
Worth Knowing
EtherApe isn’t meant to replace full-blown analyzers. It won’t decrypt SSL or tell you who clicked what. But in noisy networks — especially those without centralized monitoring — it gives immediate, intuitive insight into flow patterns and node activity.
Sometimes, when you’re staring at walls of logs and nothing makes sense, a moving graph can give you that missing piece. And when a switch lights up for no reason? EtherApe helps you find out why.
