* feat: add Landlock sandbox and capability dropping for Linux
- Restrict filesystem access to /proc only after initialization
- Block TCP bind/connect on kernel 6.4+ (network sandbox)
- Drop CAP_NET_RAW after pcap handle opened
- Add --no-sandbox and --sandbox-strict CLI options
- Show privilege info on non-Linux platforms in UI
- Add SECURITY.md documentation
* fix: remove unused set_sandbox_info and hide Landlock line on non-Linux
* fix: gate SandboxInfo to Linux only to fix clippy warnings
* fix: add is_admin() function for Windows builds
The Windows build was failing because ui.rs called crate::is_admin()
but the function didn't exist. Added the implementation using Windows
Security API to check if the process has elevated privileges.
Also added Win32_Security feature to windows crate dependencies.
* fix: add is_admin() to main.rs for Windows binary crate
The previous fix added is_admin() to lib.rs but ui.rs is compiled
as part of the binary crate (main.rs), not the library crate.
Added the function to main.rs so crate::is_admin() resolves correctly.
* feat: reorganize platform code into per-platform directories
- Move platform files into linux/, macos/, windows/, freebsd/ subdirectories
- Unify create_process_lookup() API with _use_pktap parameter across all platforms
- Update build.rs paths for eBPF program location
- Reduce cfg attributes in main mod.rs from ~42 to 8
* fix: widen tolerance for test_sliding_window_no_skip_first_sample
Increase acceptable range from 9000-11000 to 5000-15000 to account
for timing variability on macOS ARM CI runners.
* docs: update Linux build dependencies and remove EBPF_BUILD.md
- Add missing build-essential, pkg-config, zlib1g-dev to documentation
- Update rust.yml CI with complete dependencies
- Remove EBPF_BUILD.md (info already in INSTALL.md)
- Update references in README.md and ARCHITECTURE.md
Adds real-time TCP connection quality monitoring:
- Retransmission detection via sequence number analysis
- Out-of-order packet tracking
- Fast retransmit detection (RFC 2581)
- Per-connection and aggregate statistics
- Network Stats panel in UI
- Platform-independent implementation using pcap data
Statistics show both active (current connections) and total
(cumulative) counts. Individual connection details display
per-connection metrics for troubleshooting network issues.
Changed bandwidth sorting to use the sum of upload and download speeds
instead of separate sorting for each direction. This provides a simpler
way to identify connections with the highest total bandwidth usage.
- Replace BandwidthDown/BandwidthUp with single BandwidthTotal enum
- Update sort logic to calculate combined rates
- Simplify UI to show "Down/Up ↓/↑" indicator
- Update documentation and tests
Remove CAP_NET_ADMIN requirement and eliminate need for CAP_SYS_ADMIN on
modern kernels by using non-promiscuous mode for packet capture. This
significantly reduces security surface by following principle of least privilege.
Make eBPF the default build configuration on Linux for better
performance and lower overhead process identification.
Changes:
- Set default features to include ebpf in Cargo.toml
- Remove explicit --features linux-default from build configs
- Update all documentation to reflect eBPF is now default
- Add instructions for building without eBPF (--no-default-features)
eBPF automatically falls back to procfs if it fails to load.
Closes#32
The procfs-based process lookup was triggering a full scan on every cache
miss instead of relying on periodic refresh. This caused 50+ full procfs
scans per enrichment cycle when multiple connections lacked process info.
Changed get_process_for_connection() to do simple cache lookups only.
Periodic refresh (every 5s) is already handled by the enrichment thread.
Also added PROFILING.md with flamegraph profiling guide.
Split large README.md (1101 lines) into separate documentation files
for better organization and maintainability:
- README.md: condensed to 233 lines with quick start and overview
- INSTALL.md: complete installation guide and permissions setup
- USAGE.md: detailed usage guide with filtering and sorting
- ARCHITECTURE.md: technical details and platform implementations
- EBPF_BUILD.md: updated references to new INSTALL.md structure
Added collapsible sections in README for optional details and
included "Documentation Moved" section for backward compatibility
with external links.
- Add Windows process lookup using GetExtendedTcpTable/GetExtendedUdpTable
- Resolve process names via OpenProcess and QueryFullProcessImageNameW
- Support TCP/UDP IPv4 and IPv6 connections
- Implement time-based caching with 2-second TTL
- Fix port byte order conversion from network to host order
- Migrate from winapi to windows crate (v0.59)
- Add debug logging for process lookup operations
- Update documentation in ROADMAP.md and README.md
Closes#36
* feat: detect insufficient privileges before network interface access
- Add privilege detection module for Linux, macOS, and Windows
- Check privileges before TUI initialization for visible errors
- Provide platform-specific instructions (sudo, setcap, Docker flags)
- Detect container environments and provide Docker-specific guidance
* Remove musl targets to simplify Linux builds and fix cross-compilation issues
* Enable eBPF by default on Linux via linux-default feature for better packet capture
* Add macOS code signing and notarization support with graceful fallback for unsigned builds
* Fix Windows MSI packaging with improved WiX configuration and Npcap library linking
* Auto-extract changelog content from CHANGELOG.md into GitHub release notes
* Fix ARM cross-compilation (aarch64, armv7) with proper library paths and eBPF support
* Add comprehensive installation documentation for DMG, MSI, DEB, and RPM packages
* Allow re-running releases with --clobber flag for artifact uploads
* feat: Add experimental eBPF support for enhanced socket tracking
- Implement eBPF-based socket tracker for Linux with CO-RE support
- Add minimal vmlinux header (5.5KB) instead of full 3.4MB file
- Create graceful fallback mechanism to procfs when eBPF unavailable
- Add comprehensive eBPF build documentation
- Integrate libbpf-rs for eBPF program loading and management
- Support both IPv4 and IPv6 socket tracking
- Add capability checking for required permissions
The eBPF feature is optional and disabled by default. When enabled,
it provides faster and more accurate process-to-socket mapping on
Linux systems with appropriate permissions.
