Expand description
lanscope — passive eBPF IoT device fingerprinting & anomaly detection.
The crate is organised as a pipeline of single-responsibility stages joined by trait seams so each stage can be tested and replaced in isolation:
CaptureBackend → decode → DeviceRegistry → Fingerprinter → AnomalyDetector
│ │
└──────────► Store ◄───────────┘Re-exports§
Modules§
- alert
- Anomaly alert model, shared by the storage layer and the anomaly engine.
- anomaly
- Anomaly detection.
- app
- Application orchestration — the composition root.
- capture
- Capture abstraction — the seam that keeps the rest of the agent independent of how packets are observed.
- cli
- Command-line surface (clap derive). The CLI is a thin parsing layer; all
behaviour lives in
crate::app. - config
- Runtime configuration: capture mode, interface, paths, intervals.
- decode
- Userspace protocol decoders.
- error
- Crate-wide error type. Library code returns
Error; the binary layersanyhowon top for context-rich reporting at the edges. - exporter
- Prometheus metrics exporter.
- features
- Flow feature vector — the single source of truth shared by runtime inference and the offline training pipeline.
- fingerprint
- Device fingerprinting.
- netfmt
- Small formatting/parsing helpers for MACs and IPv4 addresses.
- registry
- In-memory device registry, keyed by MAC.
- storage
- Persistence.
- tui
- Ratatui terminal UI.