📖 User Guide

Matrix IT — Packet Loss Monitor
User Guide

Everything you need to install, configure, and get the most out of your network monitoring deployment. From first-run setup to advanced correlation analysis.

Version 1.0 Windows 10 / 11 / Server .NET runtime bundled — no prerequisites Last updated March 2026
Getting Started

Installation

The application ships as a single Windows installer (MatrixIT-PacketLossMonitor-Setup.exe). No .NET runtime is needed — it is bundled inside the installer. The entire setup takes under 2 minutes.

  1. Run the installer as Administrator Double-click MatrixIT-PacketLossMonitor-Setup.exe. Accept the Windows UAC prompt when it appears. The installer does not require an internet connection.
  2. Choose optional tasks The installer offers checkboxes for:
    • Create a Desktop shortcut (current user or all users)
    • Create a Start Menu shortcut
    • Launch at Windows startup (adds a registry Run entry)
    All are optional. Check what's appropriate for the deployment.
  3. Installation completes Files are placed in C:\Program Files\Matrix IT\Packet Loss Monitor\. The Windows service MatrixITPktMon is registered automatically. The application launches at the end.
  4. First-run configuration opens automatically Since no config.json exists yet, the app navigates directly to Settings. See the next section.
All runtime data (config, history, logs) is stored in C:\packetmonitor\ — not in Program Files. This path is writable by the Windows service (running as SYSTEM) and shared between the GUI and service.
Getting Started

First-Run Setup

On first launch, the app opens directly on the Settings screen. The dashboard shows an amber "Setup required" banner until all three requirements are met: SMTP credentials, at least one monitoring target, and at least one alert recipient.

Step 1 — Add Monitoring Targets

Click + Add Target for each network device you want to monitor.

FieldExampleNotes
NameCore-SW-01Friendly display name shown on dashboard cards
Host / IP192.168.1.10IP address or hostname that responds to ICMP ping
DescriptionCore switch, IDF roomOptional subtitle shown on the card
Latency Threshold (ms)105–15 ms for LAN; 50–150 ms for WAN. Overrides the global threshold for this target only.

Step 2 — Configure SMTP Mail Server

Enter your SMTP relay credentials. The app uses port 587 with STARTTLS by default. After entering credentials, enter a test recipient address and click Send Test Email — no need to save first. A green ✓ or detailed error message appears immediately.

Step 3 — Add Alert Recipients

Add each email address that should receive alert notifications. One address per line. All recipients receive every alert email.

Step 4 — Save Settings

Click Save Settings. Monitoring starts automatically. Navigate to Dashboard to see your targets.

Once all three conditions are met (target, SMTP, recipient) and settings are saved, the "Setup required" banner disappears and the monitoring engine starts immediately — no restart needed.
Dashboard

Dashboard Overview

The Dashboard is the primary screen. It is divided into two columns. The left column shows the live target card grid. The right column shows either the Recent Alerts feed (default) or a full Target Detail analytics panel when a card is clicked.

📊
Left Column — Live Targets
Health summary bar, setup banner (first run), and all target cards sorted by severity. Cards update every ping cycle (default 60 seconds).
🔔
Right Column — Alerts / Detail
Shows the Recent Alerts feed by default. Click any target card to replace this with the full analytics panel for that target.
Compare Targets Button
Opens the multi-target correlation window as a separate floating panel — monitor side-by-side without leaving the dashboard.
Force Recon All Button
Immediately triggers a full diagnostic sweep on every configured target, bypassing all cooldowns. Use during an active incident.
Dashboard

Health Summary Bar

A compact strip directly above the target cards shows real-time counts across all targets at a glance:

2 OK    0 WARNING    1 ALERT

Each count updates instantly whenever any target changes status — no manual refresh needed. This is the fastest way to assess network health without reading individual cards.

💡 The health bar is hidden when no targets are configured. It appears automatically once you add at least one target in Settings.
Dashboard

Target Cards

Each monitored target is displayed as a card in the left column. Cards are automatically sorted by severity — ALERT cards float to the top, followed by WARNING, then OK. You never need to scroll to find a problem.

Click any card to open the Target Detail Panel in the right column.

Card Layout

AreaContents
Status icon (left)Coloured circle matching current status. Card background also changes colour.
Target info (centre-left)Name, IP/hostname, optional description, last check timestamp (HH:mm:ss)
Packet Loss (centre)Current loss % in large text, colour-coded green → amber → red
Latency (centre-right)Average latency with a trend arrow. Shows No resp since HH:mm when loss is 100%.
Status column (right)Status badge, alert reason, alert duration, alerts sent count, UNSTABLE badge (if flapping), RECON spinner (while diagnostics run)
Dashboard

Status & Alert Badges

Status Indicators

BadgeMeaning
● OKZero packet loss, latency within the per-target threshold. All is healthy.
▲ WARNINGSome packet loss detected but below the configured alert threshold. Worth watching.
✖ ALERTThreshold breached. Recon diagnostics have run or are running. Alert email sent (subject to cooldown).
○ UNKNOWNNot yet checked since the application started. Clears after the first completed ping cycle.

Alert Reason Badges

When a target is in ALERT, a second smaller badge appears immediately below the ALERT badge explaining exactly why the alert fired — so you know at a glance whether to investigate latency or packet loss first.

Reason BadgeCauseWhere to Look First
HIGH LATENCYAverage latency exceeded the per-target ms threshold. Zero or low packet loss.Path quality, bandwidth saturation, QoS issues, WAN congestion
PACKET LOSSPacket loss % exceeded the threshold. Latency may be within range.Physical layer (cable, SFP), interface errors, duplex mismatch
LOSS + LATENCYBoth loss and latency thresholds were simultaneously breached.Severe congestion, major hardware failure, ISP outage
Dashboard

Trend Arrows, Flapping & Alert Duration

Trend Arrows

A small arrow next to the latency value compares the average of the last 5 ping cycles against the prior 5 to show whether performance is improving or degrading:

ArrowMeaningAction
(amber)Latency increasing — degrading by >10%Watch closely; may reach ALERT if trend continues
(green)Latency decreasing — improving by >10%Good sign, likely recovering from a prior event
(grey)Stable — within ±10% of prior averageNormal operation
(none)Not enough data yet (fewer than 10 completed checks)Wait for more data

Flapping / UNSTABLE Badge

If a target changes status 3 or more times within the last 10 checks, an UNSTABLE badge appears on the card. This indicates intermittent or oscillating connectivity — often more difficult to diagnose than a clean sustained outage.

Flapping is a serious signal. It may indicate an interface auto-negotiating incorrectly, a failing SFP/cable, or a routing loop. Click the card and examine the packet loss heat strip pattern to see the oscillation timeline.

Alert Duration Timer

Once a target enters ALERT, a running timer appears on the card below the alerts count: ongoing 4 min, ongoing 2h 15m, etc. This updates every 30 seconds and resets when the target returns to OK or WARNING — useful for quickly answering "how long has this been broken?"

Analytics

Target Detail Panel

Click any target card to open the full analytics panel in the right column. This is your primary investigation tool when a target is degraded. Click ← Back to return to the Recent Alerts feed.

Stats Bar

MetricHow It's CalculatedWhat to Look For
JITTERMax latency − Min latency across the rolling 2-hour windowHigh jitter (e.g. >50 ms on a LAN target) indicates unstable routing or congestion even if average looks acceptable
AVAILABILITY% of checks in the window that were NOT in ALERT statusDrops below 95%? The target has been unreliable for a significant portion of the observation window
CHECKSNumber of completed ping cycles in the buffer (max 120)Low number means the app recently started or the target was just added — analytics are less representative
THRESHOLDThe configured per-target latency limit in msReference — alerts fire when avg latency exceeds this value

Latency Trend Chart

A canvas-drawn line chart showing average latency over time across the rolling 2-hour buffer. Features:

  • Blue polyline with soft fill — each data point is one completed ping cycle
  • Amber dashed horizontal line at the configured per-target latency threshold
  • Grid lines at 25%, 50%, 75% of the current Y-axis scale
  • Labels: Older (left) / Latest (right) on the X axis; max ms value top-right
  • Redraws automatically after every ping cycle — no manual refresh

Packet Loss Heat Strip

A horizontal row of up to 120 colour-coded cells — one cell per completed ping cycle — reading left (oldest) to right (newest). The colour of each cell represents loss for that individual check:

■ Green — 0% loss ■ Amber — <10% loss ■ Red — ≥10% loss
💡 Pattern reading: a single red block surrounded by green = brief spike. Red block near the right edge = recent and possibly ongoing. Scattered amber throughout = intermittent noise. Solid red to the right transitioning to green = recovering from an outage.

Last Diagnostic Run

Shows the output from the most recent automatic or manually triggered recon. This section only appears after at least one recon has completed. Each diagnostic tool is in a collapsible expander:

SectionWhat to Look For
PORT PROBESGreen OPEN / grey CLOSED badges for ports 22, 23, 80, 443, 8080. If ICMP is dropping but ports are OPEN, the device is up but routing is degraded — not a total failure.
TracerouteLook for the hop where latency spikes or asterisks (*) appear consistently. That hop or the one before it is likely the problem segment.
PathpingPer-hop loss % over 50 packets. A hop showing 40% loss while downstream hops show 0% = that router is rate-limiting ICMP (normal). A hop showing 40% loss AND all downstream hops showing similar loss = that hop is genuinely dropping packets.
ARP TableLook for the same IP mapped to two different MAC addresses — this indicates a duplicate IP conflict that causes intermittent loss as traffic flips between the two devices.
NSLookupConfirms DNS is resolving correctly. Failure here means the monitoring machine's DNS is unhealthy — separate from the target itself.

Force Recon Button

Click ⊙ Force Recon in the panel header to immediately run a full diagnostic sweep on this target — no threshold breach required. Useful when you want to investigate a target that's currently showing high latency but hasn't yet crossed the alert threshold, or when you want fresh diagnostics during an incident.

Force Recon does not send an alert email. It only updates the diagnostic output in the Target Detail Panel. To trigger an email as well, use ⟳ Force Recon All on the Dashboard header — this uses the normal alert sending path.
Analytics

Compare Targets

Click ⊞ Compare Targets in the Dashboard header to open the multi-target comparison window. It opens as a separate floating window so you can continue using the main dashboard while comparing.

How to Use It

  1. Select targets using the checkboxes in the left sidebar Each target is assigned a unique colour from an 8-tone palette. That colour carries through all panels — chart lines, loss strips, and table headers — so you always know which data belongs to which target.
  2. Read the overlaid latency chart All selected targets are drawn on a single canvas with a shared Y-axis. If two lines spike at the same horizontal position, both targets degraded at the same time.
  3. Read the stacked loss strips One heat strip per selected target, stacked vertically. Red blocks aligned across multiple strips = simultaneous degradation = likely a shared upstream problem.
  4. Check the Correlation Banner The banner at the top scores simultaneous degradation between every pair of selected targets and shows the highest-scoring pair with an advisory message.

Correlation Score Guide

ScoreInterpretationRecommended Action
≥ 70% — HighBoth targets degrade at the same time in most checks — very likely a shared upstream path (ISP link, core router, WAN circuit)Investigate the common path segment: run tracert on both targets and compare where the hops diverge
35–70% — ModeratePartial overlap — may be related or coincidentalMonitor during the next degradation window. Check if the affected checks occur at the same time of day.
< 35% — LowTargets fail independently — the problem is device-specificInvestigate each device separately. Physical layer checks recommended for the affected target.
Analytics

Recent Alerts Feed

The right column of the Dashboard shows the Recent Alerts feed when no target card is selected. It displays the 10 most recent alert events as compact single-line entries, newest at the top.

Alert Entry Format

Example Alert Entries
HIGH LATENCY  matrixit.net  ·  24 ms  ·  11:22
PACKET LOSS  google dns  ·  50%  ·  11:23
LOSS + LATENCY  gateway  ·  15% · 18 ms  ·  11:24
ElementDescription
Type badgeAmber for HIGH LATENCY; red for PACKET LOSS or LOSS + LATENCY
Target nameFriendly display name of the affected target
MetricThe actual value that triggered the alert (e.g. 24 ms or 50%). Shows both values for LOSS + LATENCY.
TimeHH:mm timestamp of the alert event

Click View all in History → at the bottom of the feed to navigate to the full History screen, which shows all saved events from history.csv.

Analytics

History View

Navigate to History from the top menu bar to view the complete persistent event log stored in C:\packetmonitor\history.csv. Unlike the Recent Alerts feed, history persists across app restarts.

What's Recorded

Every completed ping cycle writes one row per target to history.csv:

Timestamp, Name, Host, PacketLoss%, LatencyAvg, LatencyMin, LatencyMax, Status, AlertSent 2026-03-22 11:05:55, matrixit.net, matrixit.net, 0.0, 22.0, 19.0, 27.0, ALERT, True

Using the History Screen

  • Per-target summary statistics: total checks, OK / WARNING / ALERT counts, average and peak loss, average and peak latency
  • Sortable event table — click column headers to sort
  • Filter to show all events or ALERT / WARNING events only
  • The AlertSent column shows whether an email was dispatched for that particular breach (it may be False if the hourly rate limit was reached)
Configuration

Settings

Navigate to Settings from the top menu. All changes take effect when you click Save Settings — the monitoring engine restarts automatically.

Monitoring Targets

ActionNotes
+ Add TargetOpens the add-target dialog. Enter name, host/IP, optional description, and per-target latency threshold.
Edit (per target)Modify the target's name, description, or latency threshold without affecting history data
Remove (per target)Removes the target from monitoring. Historical data for this target is retained in history.csv.

Mail Server (SMTP)

FieldNotes
SMTP ServerHostname or IP of your outbound mail relay
Port587 for STARTTLS (recommended); 465 for SSL/TLS; 25 for plain SMTP
Use TLSCheck this for port 587 (STARTTLS). Uncheck for plain port 25.
Username / PasswordSMTP authentication credentials. Password is masked in the UI.
From AddressThe address that appears in the "From:" field of all alert emails
Alert RecipientsOne email address per line. All recipients receive every alert email.

Send Test Email

Enter a test recipient address in the Test Recipient field (does not need to be in your recipient list) and click Send Test Email. The test uses the current form values — no need to save first. A ✓ success or ✗ error with a specific message appears immediately.

Thresholds & Intervals

SettingDefaultNotes
Global Packet Loss Threshold5%Triggers ALERT when loss reaches or exceeds this value. Apply per-target overrides in the target editor for devices with known baseline loss.
Global Latency Threshold100 msFallback for targets with no per-target latency override set
Ping Interval60 sHow often each target is checked. Shorter interval = more data but higher network overhead.
Packets per Check5ICMP packets per ping cycle. More packets = more accurate loss% but longer check duration.
Alert Cooldown15 minMinimum time between repeat emails for the same target. Prevents email floods during sustained outages.
Max Alerts per Hour10Global email rate limit. Set to 0 for unlimited. Recommended to leave at 10 for most deployments.

Advanced — Launch on Windows Startup

Checking this option adds a registry entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run so the application starts when the current user logs into Windows. This is independent of the Windows service — the service starts at boot regardless of who is logged in.

Configuration

About Page

Navigate to About from the top menu for application information, desktop shortcut management, and the configuration folder shortcut.

Desktop Shortcut Management

The About page provides buttons to create or remove a shortcut for all users on the machine:

ButtonActionRequires Admin?
Create ShortcutCreates Matrix IT – Packet Loss Monitor.lnk in C:\Users\Public\Desktop with the custom application iconYes — UAC prompt appears
RemoveDeletes the shortcut from the public desktopYes — UAC prompt appears

Open Config Folder

Click Open Folder in the Configuration card to open C:\packetmonitor\ in Windows Explorer. This is the quickest way to access config.json, history.csv, and monitor.log for review or backup.

Operations

Windows Service

The application registers a Windows service named MatrixITPktMon during installation. The service runs the monitoring engine in headless (no window) mode — sending alert emails without any user being logged in, surviving reboots automatically.

The GUI and the service are independent. Both run the monitoring engine simultaneously if both are active. On production systems, rely on the service for background monitoring and open the GUI when you need to investigate or reconfigure.

Service Details

PropertyValue
Service NameMatrixITPktMon
Display NameMatrix IT Packet Loss Monitor
Startup TypeAutomatic (starts on boot, no login required)
Log On AsLocal System
ExecutableC:\Program Files\Matrix IT\Packet Loss Monitor\PacketlossMonitor.exe --headless
Config FileC:\packetmonitor\config.json (shared with GUI)

Service Status Indicator

The top-right corner of the application shows the current service state at all times:

● Service: RUNNING ● Service: STOPPED ● Service: Not Installed

Managing the Service

The service can be managed from Windows Services (services.msc) or the command line:

sc query MatrixITPktMon # Check current status sc start MatrixITPktMon # Start the service sc stop MatrixITPktMon # Stop the service
Operations

System Tray

When the main window is closed, the application minimises to the Windows system tray rather than exiting. Monitoring continues uninterrupted in the background.

Tray Icon Context Menu

Menu ItemAction
Open MonitorBrings the main window to focus and navigates to the Dashboard. Restores the window if it was minimised or hidden.
ExitStops monitoring and exits the application completely. The Windows service continues running if it was installed.

Balloon Notifications

When a threshold is breached, a balloon notification pops from the tray icon showing the target name and current status. Clicking the balloon opens the main window on the Dashboard.

Single-Instance Behaviour

The application enforces a single running instance. If you click the desktop shortcut while the app is already running in the tray, the existing window is brought to focus rather than opening a second window. This prevents duplicate alert emails and conflicting monitoring loops.

Operations

Alert Emails

When a threshold breach passes both the per-target cooldown check and the global hourly rate limit, an HTML email is sent to all configured recipients via your SMTP relay.

Email Subject Format

[Matrix IT Alert] Threshold breached on Core-SW-012026-03-22 11:05:55

Email Contents

SectionContents
Alert SummaryTarget name, IP, description, timestamp, alert reason (HIGH LATENCY / PACKET LOSS / LOSS + LATENCY), loss %, avg/min/max latency, packets sent/received, configured thresholds
TCP Port ProbesOPEN / CLOSED status for ports 22, 23, 80, 443, 8080
TracerouteFull tracert -d output
PathPingpathping -n per-hop loss analysis
ARP TableFull arp -a output
DNS Lookupnslookup result

Alert Flood Protection

ControlDefaultScopeEffect
Cooldown15 minPer targetMinimum time between repeat alert emails for the same target. Resets when the target returns to OK.
Max alerts/hour10GlobalMaximum total emails per hour across all targets. 0 = unlimited.
Even when the email rate limit is reached, recon still runs and the Target Detail Panel is updated with fresh diagnostics. Only the email is suppressed — you always have diagnostic data available in the app.
Operations

Automated Diagnostics

Recon runs automatically when a target enters ALERT and the last recon for that target is stale (older than the cooldown period). It can also be triggered manually using Force Recon in the Target Detail Panel or ⟳ Force Recon All on the dashboard.

While recon is running, a blue RECON... spinner appears on the target's card. Recon runs on a background thread — monitoring and the UI continue working normally.

Diagnostic Tools Reference

ToolCommandPurposeDuration
Traceroutetracert -d -w 3000Maps every hop to the target. Identifies which segment introduced the latency or loss.10–30 sec
PathPingpathping -n -q 50Per-hop packet loss % over 50 probes. Identifies which specific router is dropping packets.2–6 min
ARP Tablearp -aDumps the local ARP table. Detects duplicate IP conflicts (same IP, two MACs).<1 sec
DNS LookupnslookupVerifies DNS resolution for the target hostname is healthy at the time of the alert.<5 sec
TCP Port ProbesSocket connect: 22, 23, 80, 443, 8080Tests L4 connectivity vs L3 ICMP loss — distinguishes "device up but routing broken" from "device down"<15 sec
PathPing can take up to 6 minutes to complete because it sends 50 packets per hop. It runs in the background after the other tools — the alert email is sent before PathPing finishes, and the PathPing section in the Target Detail Panel updates when ready.
Reference

Threshold Reference

Choosing the right latency thresholds prevents both false positives (too many alerts for acceptable latency) and missed events (thresholds set too high). Use the table below as a starting guide.

Target TypeRecommended Latency ThresholdNotes
Local LAN device (switch, AP, printer)5–15 msSub-millisecond response is normal on Gigabit LAN. 15 ms+ on a LAN device usually indicates a problem.
Site-to-site MPLS / private WAN20–50 msDepends on circuit distance and quality. Baseline with normal traffic first.
ISP gateway / public internet target50–150 msHigher variance is normal. Set threshold 50–100% above your typical baseline average.
Cloud service (e.g. 8.8.8.8, 1.1.1.1)80–150 msUse as a secondary check to distinguish local WAN problems from global internet issues.

Packet Loss Threshold

The default global packet loss threshold is 5%. On a 5-packet check, this means 1 out of 5 packets lost triggers WARNING; 5% rounded means any loss triggers it (since 1/5 = 20% — lower the threshold to catch even single-packet loss). Recommended values:

  • 0% — Zero tolerance (any lost packet triggers alert). For critical infrastructure.
  • 5% — Default. Good balance for most deployments.
  • 10–20% — Only alert on significant sustained loss. For noisy links where some baseline loss is expected.
Reference

Configuration File

All settings are stored in C:\packetmonitor\config.json. This file is managed entirely through the Settings screen — manual editing is not required but the format is shown here for reference and backup purposes.

{ "targets": [ { "name": "Core-SW-01", "host": "192.168.1.10", "description": "Core switch IDF room", "latency_ms": 10.0 // per-target override (null = use global) } ], "thresholds": { "packet_loss_percent": 5.0, "latency_ms": 100.0 // global fallback }, "ping": { "interval_seconds": 60, "count_per_check": 5 }, "smtp": { "host": "smtp.yourdomain.com", "port": 587, "use_tls": true, "username": "alerts@yourdomain.com", "password": "[password]", "from_address": "alerts@yourdomain.com" }, "recipients": ["helpdesk@company.com"], "alert_cooldown_minutes": 15, "max_alerts_per_hour": 10 }
Do not edit config.json while the application or service is running — changes may be overwritten when Settings is saved. Use the Settings screen instead, or stop the service first.
Reference

Troubleshooting

"Setup required" banner stays visible after configuring

Check that all three conditions are met: at least one monitoring target, SMTP host field filled in, and at least one alert recipient. All three must be present. Click Save Settings after completing them.

All targets show UNKNOWN and never update

ICMP ping is blocked. Open Command Prompt and run ping 192.168.1.x to the target manually. If it times out, check Windows Defender Firewall outbound rules and any network ACL between the monitoring machine and the targets.

Target shows ALERT with 0% packet loss

Expected behaviour — this is a HIGH LATENCY alert. Average latency exceeded the per-target ms threshold even though no packets were lost. If the latency is acceptable for that link, increase the per-target threshold in Settings → Edit Target.

Test email fails with "SMTP Server host is empty"

Fill in the SMTP Server field in Settings. The test email uses current form values without requiring Save — but the host field must contain something to attempt a connection.

Test email fails with a connection or authentication error

Verify: (1) outbound TCP on the configured port (587 by default) is not blocked by Windows Firewall or a perimeter device; (2) the username and password are correct; (3) the SMTP host is reachable from this machine. Run telnet smtp.yourdomain.com 587 from Command Prompt to test basic connectivity.

Alert emails are not arriving during an incident

Check C:\packetmonitor\monitor.log for suppression messages. Either the per-target cooldown is active (target was already alerted within the last 15 minutes) or the hourly rate limit was reached. Use ⟳ Force Recon All to bypass cooldowns. To view the log, go to About → Open Folder.

Target Detail Panel shows "No diagnostic data yet"

Recon has not run for this target yet — it only runs automatically when the target breaches its threshold. Click ⊙ Force Recon to trigger diagnostics immediately regardless of status.

Clicking the desktop shortcut opens a second window

This should not happen with the current version. The single-instance guard uses a named mutex and the exact window title. If you have multiple versions installed, remove older ones via Add/Remove Programs and reinstall the latest version.

Latency chart is empty

The chart requires at least 2 data points to draw. Wait for 2 completed ping cycles (2 × your configured interval — 2 minutes at the default 60-second setting). After that the chart populates and continues updating.

UNSTABLE badge appears but the device seems fine

The UNSTABLE badge appears when a target changes status 3+ times in the last 10 checks. Even if it looks OK right now, this means it was oscillating recently. Click the card and review the packet loss heat strip — scattered amber/red blocks interspersed with green confirm intermittent instability. This often precedes a full outage.

Service shows "Not Installed" after the installer ran

Try running the installer again as Administrator. The service registration requires elevated privileges. You can also verify in services.msc — look for "Matrix IT Packet Loss Monitor". If not listed, re-run the installer.