StealthShark
Silent Network Capture You Actually Control
Always-on packet capture that runs silently in the background across every network interface. Real-time gzip compression, automatic session archiving, and near-zero resource usage. No cloud, no subscriptions, no performance impact.
Why StealthShark is Different
Purpose-built for always-on background capture with maximum efficiency and zero overhead
Real-Time Compression
Captures pipe through gzip in real-time, reducing disk usage by ~84%. A 672 MB raw session becomes 107 MB compressed—automatically.
Multi-Interface Capture
Monitors every network interface simultaneously—Ethernet, VPN, loopback, firewall, AirDrop—each with its own organized capture stream.
Auto-Archiving
Older sessions are automatically compressed into .tar.gz archives. 7-day retention with automatic cleanup. Set it and forget it.
Near-Zero Footprint
~2 MB RAM per interface. 0% CPU. Runs for days without memory growth. Wireshark uses 2–8 GB for the same capture on a single interface.
StealthShark vs Wireshark
Different tools for different jobs—here's how they compare for packet capture efficiency
| Metric | 🦈 StealthShark | 🔬 Wireshark |
|---|---|---|
| RAM per Capture | ~2.2 MB per interface | 500 MB – 8 GB (grows with packets) |
| CPU Usage | ~0% (raw write, no dissection) | 5–30% (real-time protocol parsing) |
| Disk Format | .pcap.gz (gzip compressed, real-time) | .pcapng (uncompressed by default) |
| Compression | ~84% reduction (live gzip) | None during capture |
| Multi-Interface | Independent per-interface captures | Single interface or merged “all” |
| Background Mode | Headless daemon, always-on | Requires open GUI window |
| Max Duration | Hours/days (disk-limited only) | Limited by available RAM |
| Packet Analysis | None (capture only) | 3000+ protocol dissectors |
| Live Filtering | Capture-only (no display filters) | Full BPF + display filter engine |
| Crash Recovery | Auto session restore every 30s | Partial (pcap survives, UI state lost) |
Choose Your Setup
Start with the GUI for easy monitoring—or run headless for always-on background capture
Multi-Interface GUI
Full-featured dark-themed monitoring dashboard with real-time stats, session recovery, and one-click capture.
- Real-time gzip-compressed .pcap.gz captures
- Monitor all interfaces simultaneously
- Live packet rate and bandwidth stats
- Auto-archiving of old sessions to .tar.gz
- Crash recovery with 30-second state saves
- Organized session directories by interface group
- Dark-themed professional PyQt6 interface
- 7-day automatic archive cleanup
Persistent Monitor Daemon
Command-line background service for servers, headless systems, and always-on deployments. No GUI required.
- All GUI capture features (compressed, multi-interface)
- Runs as background daemon process
- Configurable duration (30s to 6 hours per session)
- Automatic interface discovery via tshark + psutil
- New interface detection and auto-capture
- macOS desktop alert notifications
- JSON status reports and comprehensive logging
- Signal-safe graceful shutdown
NFC Combined Edition
StealthShark integrated with NFC authentication for physical-token-secured capture sessions.
- All Persistent Monitor features
- NFC tag authentication to start/stop captures
- Physical security token for capture authorization
- Extended interface group classification
- Combined monitoring and NFC management GUI
- Ideal for high-security environments
Recommended Workflow
Use StealthShark and Wireshark together for complete network security coverage
StealthShark Captures
Runs 24/7 in the background, silently capturing compressed pcaps across all interfaces with near-zero resource usage.
Incident Detected
Suspicious activity flagged by alerts, IDS, or manual observation. Identify the relevant time window and interface.
Wireshark Analyzes
Open the .pcap.gz file directly in Wireshark. Apply filters, inspect protocols, trace the full attack chain.
Report & Respond
Use Wireshark's export and statistics to build forensic evidence. StealthShark keeps capturing throughout.
Support
We're here to help
Frequently Asked Questions
StealthShark captures raw network packets on every active interface using tcpdump under the hood. The output is standard .pcap format compressed with gzip (.pcap.gz), which can be opened directly in Wireshark, tshark, or any pcap-compatible tool.
StealthShark is currently built and tested for macOS. It uses tcpdump (pre-installed on macOS and Linux) and psutil for cross-platform interface discovery. Linux support works with minimal changes. Windows support would require WinPcap/Npcap.
With real-time gzip compression, StealthShark uses approximately 84% less disk space than uncompressed pcap. A typical hour of capture across all interfaces uses 50–200 MB compressed. Old sessions are automatically archived and cleaned up after 7 days.
No. StealthShark uses approximately 2 MB of RAM per interface and effectively 0% CPU. Even with 11 simultaneous captures running, total memory usage is under 25 MB. Compare this to Wireshark which typically uses 500 MB–8 GB for a single interface capture.
Yes! Wireshark natively supports .pcap.gz files. Just drag and drop or use File → Open. No decompression needed—Wireshark handles it automatically.
Packet capture on most interfaces requires elevated permissions. StealthShark automatically tries direct tcpdump first (works if ChmodBPF is installed), then falls back to sudo. Loopback (lo0) capture works without sudo on macOS.
No. StealthShark operates 100% offline. No cloud storage, no external servers, no accounts, no analytics, no data collection. Everything stays on your local disk.
The GUI saves session state every 30 seconds. On restart, it detects the previous session and offers to restore your settings and resume monitoring. Pcap files written before the crash are preserved and valid.
