English | Deutsch | Español | فارسی | Français | Italiano | 日本語 | 한국어 | Polski | Português | Русский | Türkçe | Українська | 中文
Network diagnostics that speak human language.
Desktop app for network diagnostics, DNS protection, and VPN.
See your full connection path from computer to internet, switch DNS providers in one click,
and connect through VPN — all explained in plain language, not error codes.
Built with Rust + Tauri + React.
Most network tools are built for engineers. Netok is built for everyone else.
When your internet stops working, you shouldn't need to know what
DNS_PROBE_FINISHED_NXDOMAIN means. Netok translates that into something useful:
what's broken, where, and what to do about it.
|
Computer → Wi-Fi → Router → Internet — step-by-step connection check |
No technical jargon — clear answers about what's wrong and how to fix it |
Cloudflare, AdGuard, CleanBrowsing, or your own custom servers |
|
VLESS, VMess, Shadowsocks, Trojan, WireGuard via sing-box |
Scan your local network and identify devices by brand |
Real-world ratings, not just raw numbers |
|
Detect encryption vulnerabilities and network threats |
Full localization including RTL scripts |
Light and dark mode with system preference support |
Netok is not yet code-signed. Windows may show a SmartScreen warning on first launch — this is normal for unsigned applications. Click "More info" → "Run anyway" to proceed.
The application is built automatically from source code via GitHub Actions. You can verify the build by checking the release workflow and comparing checksums.
Computer → Wi-Fi → Router → Internet — see your full connection path step by step. Each node is tested independently so you know exactly where the problem is.
No error codes, no technical jargon. When something breaks, Netok tells you what happened and what to do — in words anyone can understand.
Switch your DNS provider in one click — Cloudflare, AdGuard, CleanBrowsing, or set your own custom servers. Block ads, malware, and adult content at the network level.
Connect through VLESS, VMess, Shadowsocks, Trojan, or WireGuard — powered by sing-box. Paste a link, scan a QR code, or import a config file.
Measure your real download and upload speed with human-readable ratings — not just raw numbers.
Detect weak encryption, open networks, and other vulnerabilities. Know if your Wi-Fi is safe before you connect.
Netok speaks 15 languages — including right-to-left scripts like Farsi. Every label, every message, every tooltip is fully translated. No half-baked Google Translate patches — each locale is reviewed for natural phrasing.
Supported: English, Deutsch, Español, Français, Italiano, Polski, Português, Türkçe, Українська, Русский, 日本語, 한국어, 中文, فارسی, and more coming.
Each node in the chain runs independent checks — no router admin access needed:
Computer — hostname::get() for machine name, get_if_addrs for network interfaces, Windows WLAN API for adapter details.
Wi-Fi — Windows WLAN API (WlanQueryInterface): SSID, signal quality converted to dBm (-90 + quality/2), TX rate, PHY type → Wi-Fi standard, channel and band (2.4/5/6 GHz) from ulChCenterFrequency. Connection type detected from adapter name pattern matching.
Router — Gateway IP parsed from route print (Windows), ip route (Linux), or netstat -nr (macOS). MAC address via Get-NetNeighbor. Vendor identified through longest-prefix OUI lookup against 30,000+ entries compiled from the Wireshark manufacturer database.
Internet — Two checks run in parallel: DNS resolution via trust_dns_resolver (tries one.one.one.one, fallback dns.google) and HTTP reachability via reqwest (tries Cloudflare trace, fallback example.com). Both pass → OK, one passes → Partial, both fail → Fail.
Four sequential checks, all via Windows WLAN API:
Encryption — Reads dot11AuthAlgorithm + dot11CipherAlgorithm, maps to Open (danger) / WEP, WPA (warning) / WPA2, WPA3 (safe).
Evil Twin Detection — Gets all BSSIDs matching the connected SSID via WlanGetNetworkBssList. Checks the IEEE 802.11 Privacy bit on each AP. If the same SSID has both open and encrypted access points → warning.
ARP Spoofing Detection — Reads the full ARP table via Get-NetNeighbor, builds a MAC → IP mapping. If any non-broadcast MAC maps to multiple IPs including the gateway → danger.
DNS Hijacking Detection — Resolves example.com via the system resolver AND via a raw UDP query to 1.1.1.1. If the IP sets don't overlap → warning.
Overall security status = worst result of the four checks.
Frontend-based, using NDT7 (Network Diagnostic Tool v7) by M-Lab over WebSocket:
- Server discovery via M-Lab locate API (nearest server, cached 5 min)
- Download/upload phases ~10 seconds each
- Ping: median of 3 WebSocket connect/close RTT cycles
- Latency: mean
TCPInfo.SmoothedRTTunder load - Jitter: mean absolute consecutive difference of SmoothedRTT samples
- Bufferbloat detection: latency > 3× idle ping
Results mapped to practical tasks:
| Task | Pass condition |
|---|---|
| 4K Video | download ≥ 25 Mbps |
| Online Gaming | ping ≤ 50 ms AND jitter ≤ 30 ms |
| Video Calls | download ≥ 3 Mbps AND ping ≤ 100 ms |
| HD Video | download ≥ 10 Mbps |
| Music/Podcasts | download ≥ 1 Mbps |
| Social/Web | download ≥ 3 Mbps |
| Email/Messengers | download ≥ 0.5 Mbps |
- Rust — core diagnostics engine
- Tauri — desktop framework
- React + TypeScript — UI
- sing-box — VPN tunneling
GPL-3.0. See LICENSE and THIRD_PARTY_LICENSES.md.
See PRIVACY.md and SECURITY.md.
Made by Anton Korenyako