rustnet/ROADMAP.md

RustNet Roadmap

This document outlines the planned features and improvements for RustNet.

Platform Support

• macOS Support: Full support including:
  • BPF device access and permissions setup
  • PKTAP (Packet Tap) headers for process identification from packet metadata
  • Fallback to lsof system commands for process-socket associations
  • DMG installation packages for Apple Silicon and Intel
  • Homebrew installation support
• Windows Support: Full functionality working with:
  • Npcap SDK and runtime integration
  • MSI installation packages for 64-bit and 32-bit
  • Process identification via Windows IP Helper API (GetExtendedTcpTable/GetExtendedUdpTable)
• FreeBSD Support: Full support including:
  • Process identification via sockstat command parsing
  • BPF device access and permissions setup
  • Native libpcap packet capture
  • Cross-compilation support from Linux
• OpenBSD and NetBSD Support: Future platforms to support
• Linux Process Identification: Experimental eBPF Support Implemented - Basic eBPF-based process identification now available with --features ebpf. Provides efficient kernel-level process-to-connection mapping with lower overhead than procfs. Currently has limitations (see eBPF Improvements section below).

eBPF Improvements (Linux)

The experimental eBPF support provides efficient process identification but has several areas for improvement:

Current Limitations

• Process Names Limited to 16 Characters: Uses kernel comm field, causing truncation (e.g., "Firefox" → "Socket Thread")
• Thread Names vs Process Names: Shows thread command names instead of full executable names

Planned Improvements

• Hybrid eBPF + Procfs Approach: Use eBPF for connection tracking, selectively lookup full process names via procfs for better accuracy
• Full Executable Path Resolution: Investigate accessing full process executable path from eBPF programs
• Better Process-Thread Mapping: Improve mapping from thread IDs to parent process information
• Enhanced BTF Support: Better compatibility across different kernel versions and distributions
• Performance Optimizations: Reduce eBPF map lookups and improve connection-to-process matching efficiency

Future Enhancements

• Real-time Process Updates: Track process name changes and executable updates
• Container Support: Better process identification within containerized environments
• Security Context: Include process security attributes (capabilities, SELinux context, etc.)

Features

Monitoring & Protocol Support

• Real-time Network Monitoring: Monitor active TCP, UDP, ICMP, and ARP connections
• Connection States: Comprehensive state tracking for:
  • TCP states (ESTABLISHED, SYN_SENT, TIME_WAIT, CLOSED, etc.)
  • QUIC states (QUIC_INITIAL, QUIC_HANDSHAKE, QUIC_CONNECTED, QUIC_DRAINING)
  • DNS states (DNS_QUERY, DNS_RESPONSE)
  • SSH states (BANNER, KEYEXCHANGE, AUTHENTICATION, ESTABLISHED)
  • Activity states (UDP_ACTIVE, UDP_IDLE, UDP_STALE)
• Deep Packet Inspection (DPI): Application protocol detection:
  • HTTP with host information
  • HTTPS/TLS with SNI (Server Name Indication)
  • DNS queries and responses
  • SSH connections with version detection, software identification, and state tracking
  • QUIC protocol with CONNECTION_CLOSE frame detection and RFC 9000 compliance
• DPI Enhancements: Improve deep packet inspection capabilities:
  • Support more protocols (e.g. FTP, SMTP, IMAP, etc.)
  • More accurate SNI detection for QUIC/HTTPS
• Connection Lifecycle Management: Smart protocol-aware timeouts with visual staleness indicators (yellow at 75%, red at 90%)
• Process Identification: Associate network connections with running processes (with experimental eBPF support on Linux)
• Service Name Resolution: Identify well-known services using port numbers
• Cross-platform Support: Works on Linux, macOS, Windows, and FreeBSD
• DNS Reverse Lookup: Add optional hostname resolution (toggle between IP and hostname display)
• IPv6 Support: Full IPv6 connection tracking and display, including DNS resolution (needs testing)

Filtering & Search

• Advanced Filtering: Real-time vim/fzf-style filtering with:
  • Navigate while typing filters
  • Fuzzy search across all connection fields including DPI data
  • Keyword filters: port:, src:, dst:, sni:, process:, sport:, dport:, ssh:, state:
  • State filtering for all protocol states
• Search/Filter Enhancements:
  • Regular expression support

Sorting & Display

• Sorting: Comprehensive table sorting with:
  • Sort by all columns: Protocol, Local/Remote Address, State, Service, Application, Bandwidth (Down/Up), Process
  • Intuitive left-to-right column cycling with s key
  • Direction toggle with S (Shift+s) for ascending/descending
  • Visual indicators: cyan/underlined active column, arrows showing direction
  • Smart defaults: bandwidth descending (show hogs), text ascending (alphabetical)
  • Bandwidth sorting: sorts by combined up+down bandwidth total
  • Seamless integration with filtering

Performance & Architecture

• Multi-threaded Processing: Concurrent packet processing across multiple threads
• Optional Logging: Detailed logging with configurable log levels (disabled by default)

Packaging & Distribution

• Package Distribution: Pre-built packages available:
  • macOS DMG packages: Apple Silicon and Intel (via GitHub Actions release workflow)
  • Windows MSI packages: 64-bit and 32-bit (via cargo-wix)
  • Linux DEB packages: amd64, arm64, armhf (via cargo-deb)
  • Linux RPM packages: x86_64, aarch64 (via cargo-generate-rpm)
  • Cargo crates.io: Published as rustnet-monitor (version 0.10.0+)
  • Docker images: Available on GitHub Container Registry with eBPF support
  • Homebrew formula: Available in separate tap repository (domcyrus/rustnet)

Future Enhancements

• Internationalization (i18n): Support for multiple languages in the UI
• Connection History: Store and display historical connection data
• Export Functionality: Export connections to CSV/JSON formats
• Configuration File: Support for persistent configuration (filters, UI preferences)
• Connection Alerts: Notifications for new connections or suspicious activity
• GeoIP Integration: Maybe add geographical location of remote IPs
• Protocol Statistics: Summary view of protocol distribution
• Rate Limiting Detection: Identify connections with unusual traffic patterns

UI Improvements

• Terminal User Interface: TUI built with ratatui with adjustable column widths
• Sortable Columns: Keyboard-based sorting by all table columns
• Keyboard Controls: Comprehensive keyboard navigation (q, Ctrl+C, Tab, arrows, j/k, PageUp/Down, Enter, Esc, c, p, s, S, h, /)
• Connection Details View: Detailed information about selected connections (Enter key)
• Help Screen: Toggle help screen with keyboard shortcuts (h key)
• Clipboard Support: Copy remote address to clipboard (c key)
• Service/Port Toggle: Toggle between service names and port numbers (p key)
• Resizable Columns: Dynamic column width adjustment
• Connection Grouping: Group connections by process/service
• ASCII Graphs: Terminal-based graphs for bandwidth/packet visualization
• Mouse Support: Click to select connections
• Split Pane View: Show multiple views simultaneously

Development

• Unit Tests: Basic unit tests in 12+ source modules (DPI protocols, filtering, services, network capture, etc.)
• Integration Tests: Platform-specific integration tests for Linux and macOS (tests/integration_tests.rs)
• Comprehensive Test Coverage: Expand test coverage across all modules
• CI/CD Pipeline: Automated builds and releases for all platforms (GitHub Actions)
  • Release workflow: Multi-platform builds with cross-compilation
  • Docker workflow: Automated Docker image builds
  • Rust workflow: Basic CI checks
• Documentation: Comprehensive README with usage guides, architecture overview, and troubleshooting
• Packaging/Distribution: Create packages for easy installation on Linux, macOS, and Windows
  • DMG packages with code signing
  • MSI packages with code signing for Windows