Skip to main content

srum_core/
network.rs

1//! Network usage record — bytes sent/received per process per ~1-hour interval.
2//!
3//! Source table: `{973F5D5C-1D90-4944-BE8E-24B94231A174}` in SRUDB.dat.
4
5use chrono::{DateTime, Utc};
6use serde::{Deserialize, Serialize};
7
8/// One SRUM network usage record: the bytes a process sent/received in a
9/// single ~1-hour measurement interval.
10///
11/// Forensic value: proves exfiltration volumes even after the process is deleted.
12#[derive(Debug, Clone, Serialize, Deserialize)]
13pub struct NetworkUsageRecord {
14    /// Integer ID of the application (look up in [`crate::IdMapEntry`]).
15    pub app_id: i32,
16    /// Integer ID of the user account (look up in [`crate::IdMapEntry`]).
17    pub user_id: i32,
18    /// UTC timestamp of the measurement interval start.
19    pub timestamp: DateTime<Utc>,
20    /// Bytes sent by the process in this interval.
21    pub bytes_sent: u64,
22    /// Bytes received by the process in this interval.
23    pub bytes_recv: u64,
24    /// ESE page number used as AutoIncId proxy for gap detection.
25    /// Gaps in this sequence indicate deleted records (anti-forensics).
26    /// Not serialised to JSON output.
27    #[serde(skip)]
28    pub auto_inc_id: u32,
29}