diff --git a/monitor/README.md b/monitor/README.md
new file mode 100644
index 0000000..6c9099e
--- /dev/null
+++ b/monitor/README.md
@@ -0,0 +1,68 @@
+# Introduction
+These files create a template, with tools installed for network monitoring.
+An AppVM named sys-monitor, is created from that template.
+
+## Template
+The template, template-monitor, is cloned from the debian-12-minimal template.
+If the debian-12-minimal template is not present, it will be downloaded
+and installed - this may take some time depending on your net connection.
+
+The template has passwordless root installed, so you can run packet captures using `sudo..`.  
+If you want to run wireshark as an ordinary user, open a terminal in template-monitor and run
+`sudo dpkg-reconfigure wireshark-common`.
+Answer `Yes` to the question, "should non-superusers be able to capture packets?"
+Run `sudo usermod -a -G wireshark user`.
+Shut down the template.
+
+## Usage
+sys-monitor is created with `provides_network` set, so you can attach qubes to it, setting it as netvm.
+Wireshark, suricata, tcpdump, and tcpflow are installed and ready to run.
+For wireshark see the note above about running as an ordinary user - useful if you want to start from the Q Menu.
+
+As with all Debian templates, services are masked in the template.
+This is done in `create.sls`
+The suricata service is *unmasked* in the qube, by an entry in `/rw/config/rc.local` which is created in `config.sls`.
+This means that you can simply run `sudo systemctl start suricata` to have suricata running with default settings.
+Alternatively you can start the service with a custom configuration, as you will.
+
+By default sys-monitor has sys-net as netvm, but you can change this if you wish.
+You can monitor traffic at eth0 or at any of the vif interfaces to downstream qubes.
+
+You can, of course, use template-monitor to create other qubes for monitoring at different positions in the Qubes networking structure..
+
+## Installation
+Copy the monitor folder to /srv/salt.
+```
+qubesctl state.apply monitor.create
+qubesctl --skip-dom0 --targets=template-monitor state.apply monitor.install
+qubesctl --skip-dom0 --targets=sys-monitor state.apply monitor.configure
+```
+### Template creation
+Clone the debian-12-minimal template - note the use of `qvm.template_installed` which will install the template if it is not already present
+```
+sudo qubesctl state.apply monitor.clone
+```
+`clone.sls` uses `qvm.features` to set the menu. Note that you can do this *before* the relevant packages are installed.
+
+### Qube creation
+`create.sls` is a standard way of creating `sys-monitor` - qvm.present is used to create the qube, and preferences and features are set.
+
+Note the use of an `include` statement at the head of the file. This allows a single state execution to call other states.
+So `qubesctl state.apply monitor.create` will call and run `monitor.clone`.
+
+
+### Package installation
+```
+sudo qubesctl --skip-dom0 --targets=template-monitor state.apply monitor.install
+
+```
+This state uses `pkg.installed` to install necessary packages in the template.
+Note the use of `pillar.get` to check if a caching proxy is present: the necessary changes to repository definitions are made using `file.replace` within a jinja command structure.
+
+### Configuration
+```
+sudo qubesctl --skip-dom0 --targets=sys-monitor state.apply monitor.configure
+```
+This state uses `file.append` to make sure that the suricata service is unmasked in the qube.
+The command is run from /rw/config/rc.local: file.append` is used to alter that file.
+`file.append` will only add the text if it is not already present.
diff --git a/monitor/clone.sls b/monitor/clone.sls
new file mode 100644
index 0000000..46dad8f
--- /dev/null
+++ b/monitor/clone.sls
@@ -0,0 +1,16 @@
+monitor_precursor:
+  qvm.template_installed:
+    - name: debian-12-minimal
+
+qvm-clone-monitor:
+  qvm.clone:
+    - name: template-monitor
+    - source: debian-12-minimal
+
+qvm-features-template-monitor:
+  qvm.features:
+    - name: template-monitor
+    - set:
+      - menu-items: "org.wireshark.Wireshark.desktop debian-uxterm.desktop"
+      - default-menu-items: "org.wireshark.Wireshark.desktop debian-uxterm.desktop"
+
diff --git a/monitor/clone.top b/monitor/clone.top
new file mode 100644
index 0000000..3e2a82a
--- /dev/null
+++ b/monitor/clone.top
@@ -0,0 +1,4 @@
+base:
+  dom0:
+    - match: nodegroup
+    - monitor.clone
diff --git a/monitor/configure.sls b/monitor/configure.sls
new file mode 100644
index 0000000..594f0d9
--- /dev/null
+++ b/monitor/configure.sls
@@ -0,0 +1,9 @@
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+{% if grains['nodename'] != 'dom0' %}
+
+/rw/config/rc.local:
+  file.append:
+    - text: systemctl unmask suricata
+
+{% endif %}
diff --git a/monitor/create.sls b/monitor/create.sls
new file mode 100644
index 0000000..13d3021
--- /dev/null
+++ b/monitor/create.sls
@@ -0,0 +1,31 @@
+include:
+  - monitor.clone
+
+qvm-present-monitor:
+  qvm.present:
+    - name: sys-monitor
+    - template: template-monitor
+    - label: green
+
+qvm-prefs-monitor:
+  qvm.prefs:
+    - name: sys-monitor
+    - netvm: sys-net
+    - memory: 400
+    - maxmem: 1500
+    - vcpus: 2
+    - provides-network: True
+
+qvm-features-monitor:
+  qvm.features:
+    - name: sys-monitor
+    - ipv6: ''
+    - disable:
+      - service.cups
+      - service.cups-browsed
+      - service.tinyproxy
+    - set:
+      - menu-items: "org.wireshark.Wireshark.desktop debian-uxterm.desktop"
+
+'qvm-volume extend sys-monitor:private 40G' :
+  cmd.run
diff --git a/monitor/create.top b/monitor/create.top
new file mode 100644
index 0000000..0b78cda
--- /dev/null
+++ b/monitor/create.top
@@ -0,0 +1,4 @@
+base:
+  dom0:
+    - match: nodegroup
+    - monitor.create
diff --git a/monitor/install.sls b/monitor/install.sls
new file mode 100644
index 0000000..037c413
--- /dev/null
+++ b/monitor/install.sls
@@ -0,0 +1,56 @@
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+#
+#
+#
+
+{% if salt['pillar.get']('update_proxy:caching') %}
+{% set proxy = 'cacher' %}
+{% endif %}
+
+{% if grains['nodename'] != 'dom0' %}
+{% if grains['os_family']|lower == 'debian' %}
+{% if grains['nodename']|lower != 'host' %}
+{% if proxy  == 'cacher' %}
+{% for repo in salt['file.find']('/etc/apt/sources.list.d/', name='*list') %}
+{{ repo }}_baseurl:
+  file.replace:
+    - name: {{ repo }}
+    - pattern: 'https://'
+    - repl: 'http://HTTPS///'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endfor %}
+
+/etc/apt/sources.list:
+  file.replace:
+    - name: /etc/apt/sources.list
+    - pattern: 'https:'
+    - repl: 'http://HTTPS/'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endif %}
+
+installed:
+  pkg.installed:
+    - pkgs:
+      - qubes-core-agent-networking
+      - qubes-core-agent-passwordless-root
+      - mate-notification-daemon
+      - suricata
+      - tcpdump
+      - tcpflow
+      - wireshark
+
+systemd-disable-suricata:
+  cmd.run:
+    - name: systemctl disable suricata
+
+systemd-mask-suricata:
+  cmd.run:
+    - name: systemctl mask suricata
+
+{% endif %}
+{% endif %}
+{% endif %}
diff --git a/monitor/install.top b/monitor/install.top
new file mode 100644
index 0000000..ccbda6a
--- /dev/null
+++ b/monitor/install.top
@@ -0,0 +1,5 @@
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+base:
+  template-monitor:
+    - monitor.install