diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index ae183ca985cc..d9693c1d2126 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -148,6 +148,7 @@
   ./programs/alvr.nix
   ./programs/appgate-sdp.nix
   ./programs/appimage.nix
+  ./programs/arp-scan.nix
   ./programs/atop.nix
   ./programs/ausweisapp.nix
   ./programs/autojump.nix
@@ -296,6 +297,7 @@
   ./programs/sysdig.nix
   ./programs/system-config-printer.nix
   ./programs/systemtap.nix
+  ./programs/tcpdump.nix
   ./programs/thefuck.nix
   ./programs/thunar.nix
   ./programs/thunderbird.nix
diff --git a/nixos/modules/programs/arp-scan.nix b/nixos/modules/programs/arp-scan.nix
new file mode 100644
index 000000000000..3580148f637a
--- /dev/null
+++ b/nixos/modules/programs/arp-scan.nix
@@ -0,0 +1,32 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.programs.arp-scan;
+in
+{
+  options = {
+    programs.arp-scan = {
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = ''
+          Whether to configure a setcap wrapper for arp-scan.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.wrappers.arp-scan = {
+      owner = "root";
+      group = "root";
+      capabilities = "cap_net_raw+p";
+      source = lib.getExe pkgs.arp-scan;
+    };
+  };
+}
diff --git a/nixos/modules/programs/iftop.nix b/nixos/modules/programs/iftop.nix
index d6e56c8fded6..dee64502e7f7 100644
--- a/nixos/modules/programs/iftop.nix
+++ b/nixos/modules/programs/iftop.nix
@@ -1,10 +1,16 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 
 let
   cfg = config.programs.iftop;
-in {
+in
+{
   options = {
-    programs.iftop.enable = lib.mkEnableOption "iftop + setcap wrapper";
+    programs.iftop.enable = lib.mkEnableOption "iftop and setcap wrapper for it";
   };
   config = lib.mkIf cfg.enable {
     environment.systemPackages = [ pkgs.iftop ];
@@ -12,7 +18,7 @@ in {
       owner = "root";
       group = "root";
       capabilities = "cap_net_raw+p";
-      source = "${pkgs.iftop}/bin/iftop";
+      source = lib.getExe pkgs.iftop;
     };
   };
 }
diff --git a/nixos/modules/programs/tcpdump.nix b/nixos/modules/programs/tcpdump.nix
new file mode 100644
index 000000000000..396a9ce9c9d6
--- /dev/null
+++ b/nixos/modules/programs/tcpdump.nix
@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.programs.tcpdump;
+in
+{
+  options = {
+    programs.tcpdump = {
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = ''
+          Whether to configure a setcap wrapper for tcpdump.
+          To use it, add your user to the `pcap` group.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.wrappers.tcpdump = {
+      owner = "root";
+      group = "pcap";
+      capabilities = "cap_net_raw+p";
+      permissions = "u+rx,g+x";
+      source = lib.getExe pkgs.tcpdump;
+    };
+
+    users.groups.pcap = { };
+  };
+}
diff --git a/nixos/modules/programs/traceroute.nix b/nixos/modules/programs/traceroute.nix
index 0864dbe79db6..0b2a78aff6db 100644
--- a/nixos/modules/programs/traceroute.nix
+++ b/nixos/modules/programs/traceroute.nix
@@ -1,8 +1,14 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 let
   cfg = config.programs.traceroute;
-in {
+in
+{
   options = {
     programs.traceroute = {
       enable = lib.mkOption {
@@ -20,7 +26,7 @@ in {
       owner = "root";
       group = "root";
       capabilities = "cap_net_raw+p";
-      source = "${pkgs.traceroute}/bin/traceroute";
+      source = lib.getExe pkgs.traceroute;
     };
   };
 }