Skip to main content

Crate flowscope

Crate flowscope 

Source
Expand description

flowscope — passive flow & session tracking for packet capture.

Cross-platform, runtime-free library for observing what’s happening on the wire. Pair with any source of &[u8] frames: netring (Linux AF_PACKET / AF_XDP), pcap files, tun-tap, eBPF, embedded.

§What’s here

Core (always on):

Built-in extractors and decap combinators (extractors feature):

Protocol parsers (each behind its own feature):

FeatureModuleWhat you get
httphttpHTTP/1.x request/response parser
tlstlsTLS handshake observer (ClientHello/ServerHello/Alert), optional JA3
dnsdnsDNS-over-UDP and DNS-over-TCP message parsers + query/response correlator
pcappcappcap file source for offline replay

Observability (each behind its own feature, zero-cost when off):

FeatureWhat you get
metricsPrometheus / OpenTelemetry counters, gauges, histograms (see obs)
tracingStructured events on flow lifecycle + anomalies

§Tokio integration

For async iteration over flow / session / datagram events, see netring’s AsyncCapture::flow_stream / .session_stream / .datagram_stream. Those depend on this crate’s traits. The sync analogue for session_stream is FlowSessionDriver.

Re-exports§

pub use extractor::Extracted;
pub use extractor::FlowExtractor;
pub use extractor::L4Proto;
pub use extractor::Orientation;
pub use extractor::TcpFlags;
pub use extractor::TcpInfo;
pub use event::AnomalyKind;tracker
pub use event::EndReason;tracker
pub use event::FlowEvent;tracker
pub use event::FlowSide;tracker
pub use event::FlowState;tracker
pub use event::FlowStats;tracker
pub use event::OverflowPolicy;tracker
pub use history::HistoryString;tracker
pub use tracker::FlowEntry;tracker
pub use tracker::FlowEvents;tracker
pub use tracker::FlowTracker;tracker
pub use tracker::FlowTrackerConfig;tracker
pub use tracker::FlowTrackerStats;tracker
pub use driver::FlowDriver;reassembler
pub use reassembler::BufferedReassembler;reassembler
pub use reassembler::BufferedReassemblerFactory;reassembler
pub use reassembler::Reassembler;reassembler
pub use reassembler::ReassemblerFactory;reassembler
pub use session::DatagramParser;session
pub use session::DatagramParserFactory;session
pub use session::SessionEvent;session
pub use session::SessionParser;session
pub use session::SessionParserFactory;session
pub use session_driver::FlowSessionDriver;reassembler and session

Modules§

dnsdns
Passive DNS observer (UDP/53).
driverreassembler
FlowDriver — sync wrapper that bundles a FlowTracker with a ReassemblerFactory and dispatches TCP segments to the right reassembler.
eventtracker
Events emitted by crate::FlowTracker as packets flow through it.
extractextractors
Built-in flow extractors and decap combinators.
extractor
FlowExtractor trait and its supporting types.
historytracker
Compact lifecycle representation à la Zeek’s conn.log history.
httphttp
Passive HTTP/1.x observer.
obstracker
Observability hooks — metrics counters and tracing events.
pcappcap
pcap file source for offline replay.
reassemblerreassembler
Sync TCP reassembly hooks.
sessionsession
Pluggable L7 message parsers.
session_driverreassembler and session
Sync companion to netring’s async session_stream. Bundles a FlowTracker + per-(flow, side) BufferedReassembler + per- flow SessionParser and yields SessionEvents.
tcp_statetracker and (test-helpers)
TCP state machine used internally by crate::FlowTracker.
tlstls
Passive TLS handshake observer.
trackertracker
FlowTracker — a hashtable of live flows with a TCP state machine and idle-timeout sweep.

Structs§

PacketView
What a crate::FlowExtractor is given.
Timestamp
Nanosecond-precision kernel timestamp.