Constant AVRO_SCHEMA 

pub const AVRO_SCHEMA: &str = r#"
{
  "type": "record",
  "name": "Packet",
  "namespace": "pcap_toolkit",
  "doc": "A single captured network packet with parsed layer fields.",
  "fields": [
    {"name": "timestamp_ns", "type": "long",               "doc": "Capture timestamp, nanoseconds since Unix epoch."},
    {"name": "src_ip",       "type": ["null", "string"],   "default": null, "doc": "Source IP address (IPv4 or IPv6 string)."},
    {"name": "dst_ip",       "type": ["null", "string"],   "default": null, "doc": "Destination IP address."},
    {"name": "src_port",     "type": ["null", "int"],      "default": null, "doc": "Source port (TCP/UDP only)."},
    {"name": "dst_port",     "type": ["null", "int"],      "default": null, "doc": "Destination port (TCP/UDP only)."},
    {"name": "protocol",     "type": ["null", "int"],      "default": null, "doc": "IP protocol number (6=TCP, 17=UDP, …)."},
    {"name": "flow_id",      "type": ["null", "long"],     "default": null, "doc": "Deterministic 64-bit flow identifier."},
    {"name": "caplen",       "type": "int",                                 "doc": "Captured bytes (wire length may differ)."},
    {"name": "origlen",      "type": "int",                                 "doc": "Original wire length."},
    {"name": "tcp_flags",    "type": ["null", "int"],      "default": null, "doc": "TCP control flags bitmask."},
    {"name": "payload",      "type": ["null", "bytes"],    "default": null, "doc": "Raw captured payload bytes."}
  ]
}
"#;

Avro schema definition — kept in sync with [AvroPacket].