Make eBPF the default build configuration on Linux for better
performance and lower overhead process identification.
Changes:
- Set default features to include ebpf in Cargo.toml
- Remove explicit --features linux-default from build configs
- Update all documentation to reflect eBPF is now default
- Add instructions for building without eBPF (--no-default-features)
eBPF automatically falls back to procfs if it fails to load.
Closes#32
Add --json-log flag to output connection events as JSON lines.
Logs new_connection and connection_closed events with IPs, ports,
protocol, DPI info, and traffic statistics for SIEM tools.
The procfs-based process lookup was triggering a full scan on every cache
miss instead of relying on periodic refresh. This caused 50+ full procfs
scans per enrichment cycle when multiple connections lacked process info.
Changed get_process_for_connection() to do simple cache lookups only.
Periodic refresh (every 5s) is already handled by the enrichment thread.
Also added PROFILING.md with flamegraph profiling guide.
* feat: add TUN/TAP interface support
Add comprehensive support for TUN/TAP virtual network interfaces by
refactoring link layer parsing into modular components.
New modules:
- link_layer: Modular packet parsing (ethernet, raw_ip, linux_sll, tun_tap)
- protocol: Dedicated TCP/UDP/ICMP parsers
Changes:
- Remove TUN/TAP interface exclusions in capture.rs
- Add TUN/TAP detection and parsing support
- macOS PKTAP support with conditional compilation
Platform compatibility:
- Linux: Full TUN/TAP support
- macOS: TUN (utun*) and TAP support
- Windows: No breaking changes
Fixes#39
Adds documentation explaining why musl static builds are not currently provided
and the technical challenges encountered during implementation attempts.
The main issue appears to be related to statically linking libpcap with musl,
which resulted in linker errors. The ubuntu-22.04 pinning already solves the
GLIBC compatibility issue reported in #40.
This document serves as a reference for anyone interested in pursuing musl
builds in the future.
Split large README.md (1101 lines) into separate documentation files
for better organization and maintainability:
- README.md: condensed to 233 lines with quick start and overview
- INSTALL.md: complete installation guide and permissions setup
- USAGE.md: detailed usage guide with filtering and sorting
- ARCHITECTURE.md: technical details and platform implementations
- EBPF_BUILD.md: updated references to new INSTALL.md structure
Added collapsible sections in README for optional details and
included "Documentation Moved" section for backward compatibility
with external links.
- Remove AppImage files (incompatible with capabilities/setcap)
- Add icon and desktop file to cargo-generate-rpm in Cargo.toml
- Add icon and desktop file to Fedora COPR spec file
- RPM packages now have proper desktop integration like DEB packages
- Windows process identification via IP Helper API
- Privilege detection with platform-specific guidance
- Fix packet length calculation for large packets
- Add Windows process lookup using GetExtendedTcpTable/GetExtendedUdpTable
- Resolve process names via OpenProcess and QueryFullProcessImageNameW
- Support TCP/UDP IPv4 and IPv6 connections
- Implement time-based caching with 2-second TTL
- Fix port byte order conversion from network to host order
- Migrate from winapi to windows crate (v0.59)
- Add debug logging for process lookup operations
- Update documentation in ROADMAP.md and README.md
Closes#36
* feat: detect insufficient privileges before network interface access
- Add privilege detection module for Linux, macOS, and Windows
- Check privileges before TUI initialization for visible errors
- Provide platform-specific instructions (sudo, setcap, Docker flags)
- Detect container environments and provide Docker-specific guidance
Fixes#34 - Extract actual packet size from IP header Total Length field
instead of using captured buffer length (limited by snaplen). This fixes
severe undercounting for large packets (NFS, jumbo frames).
* fix: remove vmlinux crate dep
* fix: download architecture-specific vmlinux.h at build time
Instead of using a git dependency (not allowed on crates.io), download the
architecture-specific vmlinux.h header at build time from the libbpf/vmlinux.h
repository. This approach:
- Removes git dependency from Cargo.toml (crates.io compatible)
- Downloads correct arch-specific header (x86, aarch64, arm)
- Caches downloaded headers in OUT_DIR (reuses between builds)
- Works with cargo install
- Supports cross-compilation for all architectures
The vmlinux.h file (~3-4MB per arch) is downloaded once per architecture
and cached, so subsequent builds are fast.
* fix: use ureq with rustls instead of http_req
http_req depends on native-tls/openssl-sys which requires OpenSSL to be
installed in the cross-compilation containers. Switch to ureq with the
rustls backend which has no system dependencies and works in all
cross-compilation environments.
* fix: follow symlink when downloading vmlinux.h
The vmlinux.h files in the libbpf/vmlinux.h repository are symlinks to
versioned files (e.g. vmlinux_6.14.h). When downloading via
raw.githubusercontent.com, we get the symlink content (just the target
filename) instead of the actual file.
Solution: Download the symlink first to get the target filename, then
download the actual versioned file. This ensures we get the full header
content instead of just the symlink text.
* add crate publish workflow
### Added
- Vim-style navigation (g/G) for jumping to beginning/end of connection list
- Comprehensive table sorting functionality with visual indicators
- Port display toggle (p key) to switch between service names and port numbers
- Enhanced connection navigation with better cleanup indication
- Localhost filtering control with --show-localhost flag
### Fixed
- Windows double key event handling
- Windows MSI runtime dependency checks for Npcap/WinPcap
- Linux "any" interface selection
- Package dependencies cleanup (removed clang/llvm from RPM/DEB)
- Docker build stability (removed armv7)
* Remove musl targets to simplify Linux builds and fix cross-compilation issues
* Enable eBPF by default on Linux via linux-default feature for better packet capture
* Add macOS code signing and notarization support with graceful fallback for unsigned builds
* Fix Windows MSI packaging with improved WiX configuration and Npcap library linking
* Auto-extract changelog content from CHANGELOG.md into GitHub release notes
* Fix ARM cross-compilation (aarch64, armv7) with proper library paths and eBPF support
* Add comprehensive installation documentation for DMG, MSI, DEB, and RPM packages
* Allow re-running releases with --clobber flag for artifact uploads
- Add GitHub Actions workflow for automated releases
- Create .deb, .rpm, AppImage, .dmg, and .msi packages
- Generate shell completions and manpages in build.rs
- Add platform-specific icons from rustnet3.svg
- Include eBPF dependencies for Linux packages
- Support Windows 32-bit and 64-bit builds
- Extract shared CLI module to prevent duplication
* feat: Add experimental eBPF support for enhanced socket tracking
- Implement eBPF-based socket tracker for Linux with CO-RE support
- Add minimal vmlinux header (5.5KB) instead of full 3.4MB file
- Create graceful fallback mechanism to procfs when eBPF unavailable
- Add comprehensive eBPF build documentation
- Integrate libbpf-rs for eBPF program loading and management
- Support both IPv4 and IPv6 socket tracking
- Add capability checking for required permissions
The eBPF feature is optional and disabled by default. When enabled,
it provides faster and more accurate process-to-socket mapping on
Linux systems with appropriate permissions.
