Denshi Goshin Jutsu dojo logoDenshi Goshin JutsuNetTools Defense Academy

Belt progression

Level up your digital defense skills!

Black belt does not mean more buttons. It means you can explain the evidence, operate the tool safely, preserve proof, and teach the next person what happened.

Application-aware visibility

Live Traffic Sensemaking

Use Windows Packet Monitor evidence to see which app is talking, where it is talking, and what the traffic means.

WireTuna

A Windows-first desktop network visibility app described as 'Wireshark for normal humans,' using Windows Packet Monitor instead of Npcap for native capture.

  1. White Belt

    Select the signal

    Choose the right adapter and understand what WireTuna can capture with Windows Packet Monitor.

  2. Yellow Belt

    Read the flow

    Explain app, destination, protocol, meaning, activity, and risk without jumping to a block.

  3. Green Belt

    Focus the noise

    Use unknown activity, protocol filters, search, and needs-review views to isolate useful evidence.

  4. Brown Belt

    Inspect the proof

    Open packet details, use ownership lookup, and export CSV evidence for a selected flow.

  5. Black Belt

    Build an evidence packet

    Tell the full story of a suspicious Windows connection from adapter to app to destination to proof.

More info on WireTunaApp site
Connection mapping

Live Connection Cartography

Use a live browser graph to map IP nodes, MAC addresses, protocol-colored links, and chatty devices.

NetView

A self-contained Go network traffic visualization tool that runs locally, opens a browser dashboard on a random localhost port, and exports graph/session data.

  1. White Belt

    Start the map

    Install Npcap, run NetView as Administrator, and open the local dashboard URL.

  2. Yellow Belt

    Identify nodes

    Use IP nodes, protocol-colored links, and MAC hover details to identify devices.

  3. Green Belt

    Find the talkers

    Use the source-grouped side panel and packet counts to locate chatty systems.

  4. Brown Belt

    Narrow the view

    Search for an IP, reset the graph when needed, and compare fresh capture sessions.

  5. Black Belt

    Export the baseline

    Produce JSON, CSV, or PNG evidence that explains the current network relationship map.

More info on NetViewApp site
Network health

Signal Path Diagnosis

Use continuous ping metrics and traceroute mapping to understand connection health and route behavior.

NetEye

A high-performance single-file network diagnostic tool that streams latency, packet loss, jitter, uptime, and traceroute data through a local web UI.

  1. White Belt

    Ping with purpose

    Start a continuous ping and read latency, loss, jitter, and uptime as separate signals.

  2. Yellow Belt

    Spot instability

    Recognize when jitter, loss, or uptime changes explain user-facing network pain.

  3. Green Belt

    Trace the route

    Run traceroute and inspect hop IP, latency, location or reverse DNS, and timeout alerts.

  4. Brown Belt

    Preserve the record

    Export CSV ping history and document slow or timing-out route segments.

  5. Black Belt

    Diagnose the path

    Separate local, route, and remote-host problems using NetEye evidence instead of guesses.

More info on NetEyeApp site
Deception and enforcement

Trust-Scored Mesh Defense

Use honeypot traps, JA4-first fingerprints, eBPF/XDP bans, and opt-in trusted mesh sharing.

HoneyMesh

A distributed defense platform with local traps, JA4-first fingerprinting, persistent bans, secure dashboard/API, Pro-only HoneyMesh Exchange, and explicit trusted mesh participation.

  1. White Belt

    Observe safely

    Run HoneyMesh in TEST mode and read trap, scan, JA4, JA3, and active-ban evidence.

  2. Yellow Belt

    Understand enforcement

    Know what changes when XDP/eBPF bans begin dropping traffic before the normal network stack.

  3. Green Belt

    Control the ban

    Use BLOCK, ALLOW, WHITELIST, RELEASE, EXTEND, and PERMANENT with intent.

  4. Brown Belt

    Trust the peer carefully

    Use Exchange discovery, temporary invites, and BTL trust levels without automatic blind trust.

  5. Black Belt

    Defend as a mesh

    Operate Pro sharing with signed, replay-checked, rate-limited intelligence and explicit operator control.

More info on HoneyMeshApp site
Data protection

Megakey Vault Operations

Use AES-256-GCM, Argon2id, Megakey recovery, RBAC, and Sentinel mode for local-first secure storage.

IronClad Vault

A zero-trust secure storage system for sensitive IP, legal, healthcare, and enterprise documents with classification levels and emergency Megakey recovery.

  1. White Belt

    Create the vault

    Initialize IronClad Vault, create the admin, and save recovery_megakey.bin outside the machine.

  2. Yellow Belt

    Classify files

    Use Public, Internal, Secret, and Top Secret levels correctly during import.

  3. Green Belt

    Shape access

    Create users, assign Admin or Viewer roles, and set maximum clearance levels.

  4. Brown Belt

    Unlock Sentinel

    Use the Megakey to unlock Sentinel mode and understand when the master key is held in RAM.

  5. Black Belt

    Recover without panic

    Prove emergency recovery, password reset, export, and secure delete before production reliance.

More info on IronClad VaultApp site
Secure exchange

Direct Encrypted Exchange

Use a direct encrypted host/client connection for chat and file transfer without third-party servers.

P2P Chat

A simple encrypted P2P connection workflow using host/listener and client roles, a shared generated key, and a dedicated p2pchat_files folder for transfers.

  1. White Belt

    Prepare the handshake

    Choose Host or Client, select matching encryption, and generate the shared key.

  2. Yellow Belt

    Connect cleanly

    Use the correct host IP, port, encryption type, and exact key to establish the session.

  3. Green Belt

    Respect the file boundary

    Stage sendable files inside p2pchat_files and keep transfers inside that folder.

  4. Brown Belt

    Move multiple files

    Use /send for one or more filenames and confirm they arrive in the peer folder.

  5. Black Belt

    Exchange without a middleman

    Run a direct encrypted transfer workflow with no third-party server and clear out-of-band key handling.

More info on P2P ChatApp site

Lessons

Operator training paths

Each lesson ties the dojo idea to the actual application behavior: what the tool observes, what the app requires, when to use it, and what proof an operator should preserve.

Application-aware visibility

Live Traffic Sensemaking

WireTuna

WireTuna shows which Windows app is talking, where it is talking, which protocol is involved, and what the flow likely means.

Use When

  • You need to understand unknown Windows traffic
  • You want a friendlier alternative to raw packet tables
  • You need packet detail, ownership lookup, ping, or traceroute from one desktop tool

Observed Signals

  • Selected adapter traffic
  • App/process attribution
  • Destinations and protocols
  • Bandwidth ownership and alerts

Requirements

  • Windows
  • Administrator elevation for Packet Monitor
  • .NET desktop runtime in development builds
  • Valid offline license for live capture outside Community limits

Tool And Operator Notes

  • Uses Windows Packet Monitor with selected-adapter TCP/IP targeting.
  • Includes quick filters, natural-language search, unknown activity focus, CSV packet export, and RDAP ownership lookup.
  • Licensing is offline and node-locked using signed Ed25519 license files.

Next Practice

Choose the adapter, use Unknown Activity or protocol filters, open flow details, and save evidence before blocking.

Related Lessons

Network Visibility FundamentalsWireTuna Traffic Analysis Without PanicUnknown Process Talking To The InternetWireTuna Filters For Fast Triage
More info on WireTunaOpen wiretuna.tech
Connection mapping

Live Connection Cartography

NetView

NetView captures packets on a selected adapter and draws a live graph of IP nodes, links, protocol colors, MAC addresses, and active connection groups.

Use When

  • You want a live visual map of adapter traffic
  • You need to identify a chatty source device
  • You need JSON, CSV, or PNG export of the current session

Observed Signals

  • Unique IP nodes
  • Active sessions
  • Protocol-colored links
  • Packet counts grouped by source IP

Requirements

  • Windows
  • Npcap driver from the Nmap Project
  • Administrator Command Prompt or PowerShell
  • Modern browser

Tool And Operator Notes

  • Nodes represent IP addresses; links represent active communication sessions.
  • Hovering over a node shows IP and MAC address for device identification.
  • Controls include adapter switching, IP search, reset graph, and JSON/CSV/PNG export.

Next Practice

Install Npcap, run NetView.exe as Administrator, open the printed localhost URL, and inspect graph nodes plus the source-grouped side panel.

Related Lessons

Network Visibility FundamentalsMap A Chatty DeviceNetView First Checks
More info on NetViewOpen NetView product site
Network health

Signal Path Diagnosis

NetEye

NetEye helps operators measure connection health with live ping metrics and route analysis from a clean web interface.

Use When

  • Calls or streams are unstable
  • You need proof of packet loss or jitter
  • You want to map the path to a host and flag slow hops

Observed Signals

  • Round-trip time
  • Packet loss
  • Jitter
  • Uptime
  • Traceroute hops and timeout alerts

Requirements

  • Windows
  • Npcap driver
  • Administrator Command Prompt or PowerShell
  • Modern browser

Tool And Operator Notes

  • Smart Dashboard runs continuous pings every second.
  • Traceroute Analyzer maps hops, latency, reverse DNS or GeoIP context, and timeout/latency alerts.
  • Advanced endpoints include /ws/ping and /api/traceroute?target=IP/Host.

Next Practice

Run NetEye.exe as Administrator, open the localhost dashboard, start with continuous ping, then trace the target if latency or loss appears.

Related Lessons

Network Visibility FundamentalsDiagnose A Bad Connection
More info on NetEyeOpen NetEye product site
Deception and enforcement

Trust-Scored Mesh Defense

HoneyMesh

HoneyMesh detects hostile activity with traps and analytics, can drop banned traffic at kernel speed with XDP/eBPF, and optionally shares signed intelligence with trusted Pro peers.

Use When

  • You need Linux-side detection and enforcement
  • You want local protection that keeps working without a central controller
  • You want opt-in shared defense across trusted networks

Observed Signals

  • Honeypot trap activity
  • Port scans
  • JA4 and legacy JA3 TLS fingerprints
  • Payload entropy and pattern scores
  • Active bans

Requirements

  • Linux kernel 5.4+
  • Root privileges for XDP and BPF maps
  • Go 1.21+ if building from source
  • HTTPS certificates for non-lab dashboard/API use

Tool And Operator Notes

  • Modes include TEST, ENFORCE, and LOCKDOWN.
  • Shared defense is Pro-only, disabled by default, and requires explicit operator opt-in.
  • Trusted peers use BTL levels L0 observe, L1 corroborated, L2 immediate enforcement, and L3 authoritative override.

Next Practice

Start in TEST mode, review the Live Threat Stream, then move selected interfaces and bans into ENFORCE only after allowlists and trust levels are understood.

Related Lessons

HoneyMesh Operator FlowBot Scans And Brute Force AttacksHoneyMesh Mode Safety
More info on HoneyMeshOpen network-decode.com
Data protection

Megakey Vault Operations

IronClad Vault

IronClad Vault stores files locally with AES-256-GCM, Argon2id, a 1MB Megakey recovery file, role-based clearance, and Sentinel mode for remote client access.

Use When

  • You need encrypted local storage
  • Users need clearance-based file access
  • A server or NAS needs headless Sentinel operation
  • Admins need emergency recovery with a physical Megakey

Observed Signals

  • Vault file metadata
  • User roles and clearance levels
  • Sentinel unlock state
  • Remote client sessions

Requirements

  • Megakey file must be saved outside the vault machine
  • TCP 9000 for Sentinel remote client access
  • Port 8443 HTTPS for API mode where used
  • Windows firewall rules for Sentinel access

Tool And Operator Notes

  • Encryption uses AES-256-GCM with Argon2id and a 1MB recovery_megakey.bin file.
  • Clearance levels are Public 1, Internal 5, Secret 7, and Top Secret 10.
  • Sentinel mode holds the master key in RAM only and locks again when closed or rebooted.

Next Practice

Create the admin account, store recovery_megakey.bin offline, classify imported files, and test recovery before relying on the vault.

Related Lessons

Secure Storage And Megakey RecoveryProtect Sensitive Files
More info on IronClad VaultOpen IronClad Vault product site
Secure exchange

Direct Encrypted Exchange

P2P Chat

P2P Chat creates a direct encrypted connection between a host and client so they can exchange messages and files without third-party servers.

Use When

  • Two trusted parties need direct encrypted chat
  • Files should move without cloud storage
  • Operators need a simple no-server transfer path

Observed Signals

  • Host IP and port
  • Encryption type
  • Shared key match
  • Allowed IP and connected state

Requirements

  • Host and client must choose the same encryption type
  • Shared generated key must be delivered out-of-band
  • Files must be placed inside p2pchat_files
  • Network/firewall must allow the chosen host port

Tool And Operator Notes

  • Recommended encryption options are AES-256-GCM or ChaCha20-Poly1305.
  • The listener only accepts a connection that presents the exact key and connects from an allowed IP.
  • Files are sent from the chat window with /send filename.ext and land in the recipient's p2pchat_files folder.

Next Practice

Have one side host, generate a key, share IP/port/key out-of-band, connect from the client, then transfer only files staged in p2pchat_files.

Related Lessons

Secure Direct Transfer BasicsDirect Encrypted File ExchangeP2P Chat File Boundary
More info on P2P ChatOpen NetP2P Chat product site
Black belt standard

Explain the evidence

Show what the tool observed, where the evidence came from, and what it does not prove.

Black belt standard

Operate safely

Know the prerequisites, privileges, modes, and failure cases before pushing the tool harder.

Black belt standard

Leave a trail

Export, document, or summarize the finding so another operator can continue the work.