lanscope watches your network, figures out what every device is (vendor, type,
hostname, services) from the metadata it leaks โ ARP, DHCP, mDNS/Bonjour, SSDP/UPnP โ
and flags devices behaving anomalously. The high-performance capture path is built in
the kernel with eBPF (via aya, Rust-native eBPF); everything
else is safe userspace Rust with a Ratatui TUI.
๐ Docs: ARCHITECTURE.md โ design, module map, capture modes, and the eBPF verifier lessons ยท ml/README.md โ the IoT-23 โ ONNX pipeline.
Install
# crates.io โ builds the userspace agent from source
# Arch Linux (AUR) โ prebuilt static binary
# Prebuilt static binary, any x86_64 / aarch64 Linux (no deps)
&&
Then:
These ship the userspace agent (discovery + host-mode capture). The in-kernel eBPF backend for whole-LAN flow analysis (gateway/SPAN) needs a from-source build with the eBPF toolchain โ see Build from source.
Where it sees traffic (read this first)
On a switched network, a host's NIC only sees traffic addressed to itself plus
broadcast/multicast. That shapes everything lanscope can do, so it runs in one of
three modes:
| Mode | Placement | Visibility |
|---|---|---|
gateway |
the router / a Pi inline | all device traffic โ full flow features + ML |
span |
a switch SPAN/mirror port | same as gateway, not inline (no forwarding risk) |
host |
any laptop/desktop | this host's traffic + broadcast/multicast discovery |
Discovery (ARP/DHCP/mDNS/SSDP) works in every mode โ that's how host mode still
maps your whole network. Per-device flow analysis and ML need gateway/span.
lanscope prints an explicit notice when a mode can't see whole-LAN traffic.
Architecture
CaptureBackend โ decode โ DeviceRegistry โ Fingerprinter โ AnomalyDetector
(eBPF | (ARP/DHCP/ (keyed by MAC) โ
portable) mDNS/SSDP) โ โ
โโโโบ Store โโโโโโ โ TUI / Prometheus
Everything hangs off trait seams so each stage is swappable and unit-testable:
CaptureBackendโ the key Dependency-Inversion boundary. The pipeline never touches aya directly; the in-kernel eBPF backend (featureebpf) and a portable backend implement the same trait, so the whole agent builds and tests on stable Rust with no eBPF toolchain.Storeโ SQLite (bundled) in production, in-memory fake in tests.- Decoders are pure
&[u8] โ Vec<Signal>functions, tested against byte fixtures.
Workspace
| Crate | Role |
|---|---|
lanscope-common |
#[repr(C)] POD types shared across the kernel/userspace boundary (no_std). |
lanscope |
userspace agent: capture, decode, registry, fingerprint, anomaly, storage, CLI/TUI. |
lanscope-ebpf |
the eBPF programs (XDP + TC), built out-of-band (targets bpfel-unknown-none). |
xtask |
builds the eBPF crate (cargo xtask build-ebpf). |
Build from source
The userspace tool builds on stable Rust, no special toolchain:
# Passively discover devices (host mode; portable backend if eBPF not built):
# One-shot views:
The database lives at $XDG_DATA_HOME/lanscope/lanscope.db (override with --db).
Enabling the eBPF backend (gateway/span flow analysis)
Requires the eBPF toolchain (not needed for the core tool):
Loading XDP/TC needs CAP_BPF + CAP_NET_ADMIN (or root).
Optional ML scoring
Roadmap
- M0 โ workspace skeleton, CLI, capture trait, tracing
- M1 โ passive discovery (ARP/DHCP/mDNS/SSDP), device registry, OUI vendor lookup, SQLite,
list - M2 โ eBPF XDP flow accounting (BPF
HashMap+ ring-buffer events), verifier-validated on a live interface - M3 โ fingerprint engine (OUI + DHCP + mDNS/SSDP + traffic โ device type)
- M4 โ anomaly heuristics (new device / port scan / volume spike) + Ratatui TUI
- M5 โ Prometheus exporter (
run --metrics <addr>) + headless mode - M6 โ ONNX inference slot (
--features ml,--model) with graceful no-model degrade; IoT-23 โ ONNX training pipeline inml/(run when you want a model)
Ethics
lanscope is a defensive / home-lab tool. Only run it on networks you own or are
authorised to monitor. Gateway/SPAN placement exposes plaintext metadata of all
devices โ treat the database accordingly.
License
MIT OR Apache-2.0.