diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index 84fd10408..ce40eb4d8 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -35,6 +35,7 @@ in
 
     sysadminUtils = declPackageSet [
       "ausyscall"
+      "bandwhich"  # network/bandwidth monitor
       "bridge-utils"  # for brctl; debug linux "bridge" inet devices
       "btrfs-progs"
       "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
@@ -427,6 +428,20 @@ in
 
     backblaze-b2 = {};
 
+    bandwhich.sandbox.capabilities = [
+      # it recommends these caps
+      # - new_raw is absolutely required
+      # - dac_read_search + sys_ptrace are required to associate traffic with process names
+      # - net_admin is... seemingly not actually required for anything?
+      "dac_read_search"
+      # "net_admin"
+      "net_raw"
+      "sys_ptrace"
+    ];
+    bandwhich.sandbox.keepPids = true;  #< so it can determine process names
+    bandwhich.sandbox.tryKeepUsers = true;
+    bandwhich.sandbox.net = "all";
+
     bash-language-server.sandbox.whitelistPwd = true;
 
     blanket.buildCost = 1;