Changed bandwidth sorting to use the sum of upload and download speeds
instead of separate sorting for each direction. This provides a simpler
way to identify connections with the highest total bandwidth usage.
- Replace BandwidthDown/BandwidthUp with single BandwidthTotal enum
- Update sort logic to calculate combined rates
- Simplify UI to show "Down/Up ↓/↑" indicator
- Update documentation and tests
- Change sliding window from 5s to 10s for stable measurements
- Increase max_samples from 100 to 20,000 to preserve full time window
- Fix minimum time span threshold from 100ms to 1s for stability
- Remove skip(1) bug that excluded first sample from calculations
- Remove artificial decay logic causing rate drops during transfers
- Add idle connection detection for proper zero-rate display
- Update tests for 1s minimum requirement and add edge case coverage
Remove CAP_NET_ADMIN requirement and eliminate need for CAP_SYS_ADMIN on
modern kernels by using non-promiscuous mode for packet capture. This
significantly reduces security surface by following principle of least privilege.
- Add automated PPA build workflow for Ubuntu 22.04 and 24.04
- Build and sign packages using CI GPG key
- Auto-upload to ppa:domcyrus/rustnet on git tags
- Add complete Debian packaging files
- eBPF enabled by default on Linux for enhanced performance
- JSON logging for SIEM integration
- TUN/TAP interface support for VPN monitoring
- Fix: Eliminated excessive procfs scanning causing high CPU usage
- Fedora COPR RPM packaging
- Bundled vmlinux.h files for improved build reliability
Make eBPF the default build configuration on Linux for better
performance and lower overhead process identification.
Changes:
- Set default features to include ebpf in Cargo.toml
- Remove explicit --features linux-default from build configs
- Update all documentation to reflect eBPF is now default
- Add instructions for building without eBPF (--no-default-features)
eBPF automatically falls back to procfs if it fails to load.
Closes#32
Add --json-log flag to output connection events as JSON lines.
Logs new_connection and connection_closed events with IPs, ports,
protocol, DPI info, and traffic statistics for SIEM tools.
The procfs-based process lookup was triggering a full scan on every cache
miss instead of relying on periodic refresh. This caused 50+ full procfs
scans per enrichment cycle when multiple connections lacked process info.
Changed get_process_for_connection() to do simple cache lookups only.
Periodic refresh (every 5s) is already handled by the enrichment thread.
Also added PROFILING.md with flamegraph profiling guide.
* feat: add TUN/TAP interface support
Add comprehensive support for TUN/TAP virtual network interfaces by
refactoring link layer parsing into modular components.
New modules:
- link_layer: Modular packet parsing (ethernet, raw_ip, linux_sll, tun_tap)
- protocol: Dedicated TCP/UDP/ICMP parsers
Changes:
- Remove TUN/TAP interface exclusions in capture.rs
- Add TUN/TAP detection and parsing support
- macOS PKTAP support with conditional compilation
Platform compatibility:
- Linux: Full TUN/TAP support
- macOS: TUN (utun*) and TAP support
- Windows: No breaking changes
Fixes#39
Adds documentation explaining why musl static builds are not currently provided
and the technical challenges encountered during implementation attempts.
The main issue appears to be related to statically linking libpcap with musl,
which resulted in linker errors. The ubuntu-22.04 pinning already solves the
GLIBC compatibility issue reported in #40.
This document serves as a reference for anyone interested in pursuing musl
builds in the future.
Split large README.md (1101 lines) into separate documentation files
for better organization and maintainability:
- README.md: condensed to 233 lines with quick start and overview
- INSTALL.md: complete installation guide and permissions setup
- USAGE.md: detailed usage guide with filtering and sorting
- ARCHITECTURE.md: technical details and platform implementations
- EBPF_BUILD.md: updated references to new INSTALL.md structure
Added collapsible sections in README for optional details and
included "Documentation Moved" section for backward compatibility
with external links.
- Remove AppImage files (incompatible with capabilities/setcap)
- Add icon and desktop file to cargo-generate-rpm in Cargo.toml
- Add icon and desktop file to Fedora COPR spec file
- RPM packages now have proper desktop integration like DEB packages
- Windows process identification via IP Helper API
- Privilege detection with platform-specific guidance
- Fix packet length calculation for large packets
- Add Windows process lookup using GetExtendedTcpTable/GetExtendedUdpTable
- Resolve process names via OpenProcess and QueryFullProcessImageNameW
- Support TCP/UDP IPv4 and IPv6 connections
- Implement time-based caching with 2-second TTL
- Fix port byte order conversion from network to host order
- Migrate from winapi to windows crate (v0.59)
- Add debug logging for process lookup operations
- Update documentation in ROADMAP.md and README.md
Closes#36
* feat: detect insufficient privileges before network interface access
- Add privilege detection module for Linux, macOS, and Windows
- Check privileges before TUI initialization for visible errors
- Provide platform-specific instructions (sudo, setcap, Docker flags)
- Detect container environments and provide Docker-specific guidance
Fixes#34 - Extract actual packet size from IP header Total Length field
instead of using captured buffer length (limited by snaplen). This fixes
severe undercounting for large packets (NFS, jumbo frames).
dependabot[bot]