pktscope-core 0.2.0

Core engine for pktscope: live/offline capture, protocol decoders, flow tracking, filters, and egress monitoring
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121

//! Newline-delimited JSON protocol spoken over the daemon's Unix socket.
//! Each request and response is a single JSON object on its own line. After a
//! `Subscribe` request the connection becomes a one-way stream of `Event`s.

use serde::{Deserialize, Serialize};

use crate::alert::Alert;
use crate::store::models::{ConnectionRow, DestRow, ProcessRow};

/// A live (or recently active) outbound connection, as shown by the inspector.
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
pub struct ConnectionDto {
    pub id: u64,
    pub process: String,
    pub pid: Option<u32>,
    pub dest_name: String,
    pub remote_ip: String,
    pub remote_port: u16,
    pub local_port: u16,
    pub protocol: u8,
    pub country: Option<String>,
    pub asn: Option<u32>,
    pub as_org: Option<String>,
    pub bytes_up: u64,
    pub bytes_down: u64,
    pub first_seen_ms: i64,
    pub last_seen_ms: i64,
    pub outbound: bool,
}

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
pub struct DaemonStatus {
    pub pid: u32,
    pub uptime_secs: u64,
    pub interface: String,
    /// "learning" or "active".
    pub baseline: String,
    pub learning_ends_ms: Option<i64>,
    pub processes: u64,
    pub destinations: u64,
    pub alerts: u64,
    pub schema_version: u32,
    pub version: String,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "type", rename_all = "snake_case")]
pub enum Request {
    Status,
    LiveConnections,
    ListProcesses,
    ListDestinations {
        process_id: i64,
    },
    ProcessHistory {
        process_id: i64,
        since_ms: i64,
        until_ms: i64,
    },
    RecentAlerts {
        limit: usize,
    },
    /// Recent persisted connections (time-travel history).
    RecentConnections {
        limit: usize,
    },
    /// Upgrade this connection to a live event stream.
    Subscribe,
    /// Ask the daemon to shut down.
    Stop,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "type", content = "data", rename_all = "snake_case")]
pub enum Response {
    Status(DaemonStatus),
    Connections(Vec<ConnectionDto>),
    Processes(Vec<ProcessRow>),
    Destinations(Vec<DestRow>),
    History(Vec<ConnectionRow>),
    Alerts(Vec<Alert>),
    Subscribed,
    Stopping,
    Error { message: String },
}

/// Pushed to a subscribed connection.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "type", rename_all = "snake_case")]
pub enum Event {
    Flow(ConnectionDto),
    Closed { id: u64 },
    Alert(Alert),
    Heartbeat { ts_ms: i64 },
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_request_roundtrip() {
        let r = Request::ProcessHistory {
            process_id: 5,
            since_ms: 0,
            until_ms: 100,
        };
        let line = serde_json::to_string(&r).unwrap();
        assert!(line.contains("\"type\":\"process_history\""));
        let back: Request = serde_json::from_str(&line).unwrap();
        matches!(back, Request::ProcessHistory { process_id: 5, .. });
    }

    #[test]
    fn test_event_roundtrip() {
        let e = Event::Heartbeat { ts_ms: 42 };
        let line = serde_json::to_string(&e).unwrap();
        let back: Event = serde_json::from_str(&line).unwrap();
        assert!(matches!(back, Event::Heartbeat { ts_ms: 42 }));
    }
}