Skip to main content Crate pktscope_core Copy item path Source alert Alert types for the five egress signals. The detection engine
(learning-window lifecycle + detectors) is added in a later milestone; this
module defines the shared Alert / AlertKind / Severity types used by
the store, IPC, and the engine. analysis Lightweight, on-demand traffic analysis (anomaly heuristics). capture decode diff Diff two captures by packet content (a multiset comparison of raw bytes). enrich Passive enrichment of observed traffic: IP→name resolution (DNS answers +
TLS SNI) and, in a later milestone, offline GeoIP/ASN lookup. error filter flow identity Binary-identity tracking for the “program modification” alert (signal 5). inspector UI-agnostic inspector state (a reducer over IPC events + query results).
The ratatui rendering lives in the pktscope binary’s inspect frontend. ipc Local Unix-socket IPC between the egress daemon and clients (the inspector
and --json consumers). monitor The always-on egress monitor daemon: capture → correlate → detect → persist,
with a Unix-socket IPC server for the inspector and --json consumers. notify Local, best-effort desktop notifications for fired alerts. Never blocks or
fails the alert engine — the durable record is always in SQLite and on IPC. output process storage store