____ _ _ ____ _____ ____ _ _ _ ____ _ __
| _ \| | | / ___|_ _/ ___|| | | | / \ | _ \| |/ /
| |_) | | | \___ \ | | \___ \| |_| | / _ \ | |_) | ' /
| _ <| |_| |___) || | ___) | _ |/ ___ \| _ <| . \
|_| \_\\___/|____/ |_| |____/|_| |_/_/ \_\_| \_\_|\_\
π¦ Deep Packet Inspection - Zero Memory Bugs π¦
Professional packet inspection tool built with Rust - Memory safe, blazingly fast
- Real-time Packet Capture - Live packet capture via Npcap/libpcap
- π Web-Based Dashboard - Real-time monitoring with interactive visualizations (NEW!)
- WebSocket Streaming - Live packet data streamed to browser in real-time
- PCAP File I/O - Read and write PCAP/PCAP-NG files (Wireshark compatible)
- Multi-Protocol Support - Ethernet, IPv4, TCP, UDP, DNS, HTTP
- Flow Tracking - Bidirectional flow analysis with statistics
- Anomaly Detection - Port scan, DDoS, DNS tunneling detection with alerts
- Network Topology - Interactive graph visualization of network connections
- Protocol Charts - Visual breakdown of traffic by protocol (TCP/UDP/DNS/HTTP)
- Interface Aliases - User-friendly interface selection (wifi, vpn, eth)
- Verbose Analysis - Detailed packet inspection with protocol headers
- 100% Rust - Backend and frontend both written in Rust (Leptos + WebAssembly)
- Zero Unsafe Code - 100% memory safety guaranteed by Rust
Windows:
- Install Npcap with WinPcap API-compatible mode
- Download Npcap SDK and extract to
C:\npcap-sdk\ - Set environment variable:
setx LIB "C:\npcap-sdk\Lib\x64;%LIB%"- Open a new terminal for changes to take effect
Linux:
sudo apt-get install libpcap-devmacOS:
brew install libpcap# Clone repository
git clone https://github.com/ChronoCoders/rustshark.git
cd rustshark
# Build release version
cargo build --release
# Binary location
./target/release/rustsharkBuild and run the web dashboard:
# Windows
build-dashboard.cmd
# Linux/macOS
chmod +x build-dashboard.sh
./build-dashboard.sh
# Run the server
target/release/rustshark-server
# Open browser to http://localhost:3000
# Login: admin / passwordFeatures:
- π Real-time packet statistics and live stream
- π₯§ Protocol distribution pie charts
- π Network topology visualization
- π Timeline charts with historical data
- π¨ Anomaly detection alerts with notifications
- βοΈ Configuration panel for capture settings
- π Secure authentication
See DASHBOARD.md for full documentation.
List Available Interfaces:
rustshark --listCapture Packets:
# Capture 100 packets from WiFi
rustshark wifi --count 100
# Capture with verbose output
rustshark wifi --count 50 --verbose
# Capture from specific interface by number
rustshark 5 --count 100
# Capture from VPN
rustshark vpn --count 50 --verboseUSAGE:
rustshark [OPTIONS] [INTERFACE]
ARGS:
<INTERFACE> Network interface (name, alias, or number)
OPTIONS:
-l, --list List available network interfaces
-c, --count <NUM> Number of packets to capture [default: 100]
-v, --verbose Enable verbose output with full packet details
-o, --output <FILE> Save captured packets to PCAP/PCAP-NG file
-i, --input <FILE> Read and analyze packets from PCAP/PCAP-NG file
-f, --format <FORMAT> Output file format: pcap or pcapng [default: pcap]
-L, --log-level <LEVEL> Set log level [default: info]
-h, --help Print help information
-V, --version Print version information
RUSTSHARK supports both standard PCAP and modern PCAP-NG file formats, compatible with Wireshark and other analysis tools.
# Save to PCAP format (default)
rustshark wifi --count 1000 --output capture.pcap
# Save to PCAP-NG format (explicitly)
rustshark wifi --count 1000 --output capture.pcapng --format pcapng
# Format is auto-detected from file extension
rustshark wifi --count 1000 --output capture.pcapng # Uses PCAP-NG
# Capture with verbose output and save to file
rustshark wifi --count 500 --verbose --output traffic.pcap# Read PCAP file
rustshark --input capture.pcap
# Read PCAP-NG file
rustshark --input capture.pcapng
# Read with verbose analysis
rustshark --input capture.pcap --verbose
# Analyze DNS and HTTP traffic from file
rustshark --input web-traffic.pcap --verbose| Format | Extension | Features |
|---|---|---|
| PCAP | .pcap |
Standard format, wide compatibility |
| PCAP-NG | .pcapng |
Modern format, better metadata support |
Both formats include:
- Microsecond precision timestamps - Accurate packet timing
- Full packet data - Complete Ethernet frames preserved
- Wireshark compatibility - Open files directly in Wireshark
- Standard compliance - Follows libpcap/pcapng specifications
- Traffic Analysis - Capture now, analyze later
- Forensics - Preserve evidence for investigation
- Testing - Create test datasets for protocol development
- Sharing - Exchange packet captures with team members
- Integration - Process captures with other tools (Wireshark, tcpdump, tshark)
- β Ethernet II - MAC addresses, EtherType
- β IPv4 - Source/destination IP, protocol, TTL, flags
- β IPv6 - Full IPv6 support with extension headers (Hop-by-Hop, Routing, Fragment, Destination Options, Authentication, ESP)
- β ARP - Address Resolution Protocol for MAC-IP resolution
- β ICMPv4 - Echo Request/Reply, Destination Unreachable, Time Exceeded, Redirect, and more
- β ICMPv6 - IPv6 ICMP including Neighbor Discovery, Router Advertisement/Solicitation
- β TCP - Ports, sequence numbers, flags, window size
- β UDP - Ports, length, checksums
-
β DNS - Full query/response parsing
- Query types: A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, ANY
- Response codes: NOERROR, NXDOMAIN, SERVFAIL, REFUSED
- Domain name compression support
- TTL extraction
- mDNS support (port 5353)
-
β HTTP - Complete request/response parsing
- Methods: GET, POST, PUT, DELETE, HEAD, OPTIONS, PATCH, CONNECT, TRACE
- Headers: Host, User-Agent, Content-Type, Content-Length, Server
- Cookie detection
- Status codes: 1xx-5xx
-
β DHCP - Dynamic Host Configuration Protocol (Discover, Offer, Request, ACK, NAK, Release, Inform)
-
β FTP - File Transfer Protocol commands and responses (USER, PASS, RETR, STOR, LIST, etc.)
-
β SMTP - Simple Mail Transfer Protocol with email message parsing (HELO, MAIL, RCPT, DATA, etc.)
-
β SSH - Secure Shell Protocol version exchange and key exchange
-
β Telnet - Terminal emulation protocol with command negotiation
-
β SNMP - Simple Network Management Protocol (v1, v2c, v3) with Get/Set/Trap support
-
β³ HTTPS/TLS - Planned for future phase
rustshark/
βββ crates/
β βββ capture/ # Packet capture engine (Npcap/libpcap)
β βββ parser/ # Core protocol parsers (Ethernet/IPv4/IPv6/TCP/UDP/ARP/ICMP)
β βββ flow/ # Flow tracking & analysis
β βββ detection/ # Anomaly detection algorithms
β βββ dns/ # DNS protocol parser
β βββ http/ # HTTP protocol parser
β βββ dhcp/ # DHCP protocol parser
β βββ ftp/ # FTP protocol parser
β βββ smtp/ # SMTP protocol parser
β βββ ssh/ # SSH protocol parser
β βββ telnet/ # Telnet protocol parser
β βββ snmp/ # SNMP protocol parser
β βββ pcap/ # PCAP/PCAP-NG file I/O
β βββ storage/ # Data persistence (placeholder)
β βββ ui/ # Terminal UI components (placeholder)
β βββ rustshark-server/ # π Web server (Axum + WebSocket)
β βββ rustshark-web/ # π Frontend (Leptos + WebAssembly)
βββ rustshark-cli/ # Command-line interface
βββ assets/ # π Web dashboard assets (HTML/CSS)
- Zero Unsafe Code - 100% safe Rust, no
unsafeblocks - Modular Architecture - Each protocol is a separate crate
- Performance First - Zero-copy parsing where possible
- Extensible - Easy to add new protocols
- Production Ready - Comprehensive error handling
- 100% Rust Stack - Backend (Axum) + Frontend (Leptos/WASM), zero JavaScript
RUSTSHARK provides user-friendly aliases for common interface types:
| Alias | Matches | Description |
|---|---|---|
wifi, wlan, wireless |
Wi-Fi adapters | Wireless network cards (802.11) |
eth, ethernet |
Ethernet adapters | Wired network cards (RJ45) |
vpn, wireguard, wg |
VPN tunnels | WireGuard, OpenVPN, etc. |
loop, loopback, lo |
Loopback | Local loopback (127.0.0.1) |
bt, bluetooth |
Bluetooth | Bluetooth network adapters |
1-9 |
By number | Select interface by list number |
# Using alias
rustshark wifi --count 100
# Using interface number
rustshark 5 --count 100
# Using exact name
rustshark "\Device\NPF_{9F834F7A-D906-4C95-84C4-8DF8E4ECCC4E}" --count 100[1] Packet captured: 122 bytes
[2] Packet captured: 138 bytes
[3] Packet captured: 282 bytes
[DNS Query: google.com]
[4] Packet captured: 154 bytes
[DNS Response: google.com - 1 answers]
[5] Packet captured: 66 bytes
[HTTP Request: GET http://example.com/]
------------------------------------------------------------
[Packet #3]
Ethernet:
Source MAC: d0:57:7b:40:a8:f3
Destination MAC: 74:6f:88:9c:15:b4
EtherType: 0x0800
IPv4:
Source IP: 192.168.1.5
Destination IP: 8.8.8.8
Protocol: 17
Total Length: 82
UDP:
Source Port: 51234
Dest Port: 53
Length: 62
Payload: 54 bytes
DNS:
Transaction ID: 0x1a2b
Type: Query
Questions: 1
- google.com (A)
RUSTSHARK now includes a powerful real-time web dashboard built entirely in Rust!
- π Real-Time Statistics - Live packet/byte counts, flows, and throughput
- π₯§ Protocol Distribution - Interactive pie charts showing traffic breakdown
- π Network Topology - Visual graph of network connections and devices
- π Timeline View - Historical packet activity with bar charts
- π¨ Anomaly Alerts - Real-time security alerts with notifications
- π Flow Analysis - Searchable table of active network flows
- βοΈ Configuration - Web-based interface for capture settings
- π Authentication - Secure JWT-based login system
Windows:
build-dashboard.cmd
target\release\rustshark-server.exeLinux/macOS:
./build-dashboard.sh
./target/release/rustshark-serverAccess Dashboard:
- URL: http://localhost:3000
- Username:
admin - Password:
password
- Backend: Axum web server + WebSocket for real-time streaming
- Frontend: Leptos framework compiled to WebAssembly
- Communication: REST API + WebSocket for live updates
- 100% Rust: No JavaScript - entire stack written in Rust!
See DASHBOARD.md for complete documentation including:
- API endpoints
- WebSocket protocol
- Configuration options
- Security considerations
- Performance tuning
See WINDOWS_SETUP.md for Windows-specific setup.
RUSTSHARK includes built-in anomaly detection for common attacks:
- Triggers when a source IP connects to 10+ different ports within 60 seconds
- Identifies reconnaissance attempts
- Triggers when a destination IP receives 100+ packets within 10 seconds
- Identifies flooding attacks
- Triggers when DNS queries exceed 512 bytes (5+ times within 60 seconds)
- Identifies data exfiltration via DNS
-
Phase 1: Foundation - Project structure, workspace setup
-
Phase 2: Protocol Parsing - Ethernet, IPv4, TCP, UDP parsers
-
Phase 3: Flow Analysis - Flow tracking, statistics
-
Phase 4: Anomaly Detection - Port scan, DDoS, DNS tunneling
-
Phase 5: Real Packet Capture - Npcap/libpcap integration
-
Phase 6A: Documentation - v0.2.0 release, README
-
Phase 6B: DNS Parser - Complete DNS protocol support
-
Phase 6C: HTTP Parser - Complete HTTP protocol support
-
Phase 8: PCAP File I/O - Read/write PCAP and PCAP-NG files
-
Phase 9: JSON Export - JSON logging and export (integrated in dashboard)
-
Phase 10: Web Dashboard - β¨ COMPLETED! Real-time web visualization
- Axum backend with WebSocket support
- Leptos frontend compiled to WebAssembly
- Real-time packet streaming and statistics
- Protocol distribution charts
- Network topology visualization
- Timeline view with historical data
- Anomaly detection alerts
- JWT authentication
- Configuration management
- 100% Rust implementation (no JavaScript!)
-
Phase 7: Advanced Protocols - β¨ COMPLETED! IPv6, ARP, ICMP, DHCP, FTP, SMTP, SSH, Telnet, SNMP
- IPv6 with full extension header support
- ARP for MAC-IP resolution
- ICMPv4 and ICMPv6 with all message types
- DHCP with all message types
- FTP command and response parsing
- SMTP with email message parsing
- SSH version exchange and key exchange
- Telnet with command negotiation
- SNMP v1/v2c/v3 support
- Phase 8: TLS/HTTPS - SSL/TLS protocol analysis and HTTPS decryption
- Phase 11: Machine Learning - Traffic classification, anomaly detection
- Phase 12: Cloud Integration - Remote monitoring, cloud storage
- β¨ NEW: Real-time Web Dashboard - Complete web-based monitoring interface
- β¨ Axum Backend Server - High-performance async web server with WebSocket support
- β¨ Leptos Frontend - Rust-based WebAssembly frontend (zero JavaScript!)
- β¨ WebSocket Streaming - Real-time packet data pushed to browser
- β¨ Interactive Visualizations:
- Live packet stream with real-time updates
- Protocol distribution pie charts (TCP/UDP/DNS/HTTP/HTTPS)
- Network topology graph with nodes and edges
- Timeline charts showing historical packet activity
- Anomaly detection dashboard with severity levels
- β¨ REST API - Full RESTful API for statistics, flows, and configuration
- β¨ JWT Authentication - Secure login system with token-based auth
- β¨ Configuration Panel - Web-based interface for capture settings
- β¨ Cross-Platform Support - Windows, Linux, and macOS
- β¨ Build Scripts - Automated build for both Unix (.sh) and Windows (.cmd)
- π Comprehensive Documentation - DASHBOARD.md and WINDOWS_SETUP.md guides
- β¨ Added DNS parser module with full query/response support
- β¨ Added HTTP parser module with request/response parsing
- β¨ PCAP file I/O support - Read and write PCAP/PCAP-NG files
- β¨ Enhanced verbose output with protocol-specific details
- β¨ Support for all major DNS record types (A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV)
- β¨ Support for all HTTP methods (GET, POST, PUT, DELETE, HEAD, OPTIONS, PATCH, CONNECT, TRACE)
- β¨ Wireshark-compatible file format support
- β¨ Microsecond precision timestamps in PCAP files
- β¨ Auto-detection of PCAP format from file extension
- π Improved error handling in protocol parsers
- β¨ Real packet capture with Npcap/libpcap
- β¨ Interface alias system (wifi, vpn, eth, loopback, bluetooth)
- β¨ Bidirectional flow tracking
- β¨ Enhanced CLI with interface selection
- π Fixed all clippy warnings
- π Production-ready release
- π Initial release
- β¨ Mock packet capture mode for testing
- β¨ Basic protocol parsing (Ethernet, IPv4, TCP, UDP)
- β¨ Flow tracking and statistics
- β¨ Anomaly detection (port scan, DDoS, DNS tunneling)
- π Command-line interface
# Development build (with debug symbols)
cargo build
# Release build (optimized)
cargo build --release
# Run tests
cargo test
# Run clippy (linter)
cargo clippy
# Check code formatting
cargo fmt --check# Run all tests
cargo test
# Run tests for specific crate
cargo test -p rustshark-parser
# Run with verbose output
cargo test -- --nocapture- Zero Unsafe Code - No
unsafeblocks in the entire codebase - Zero Clippy Warnings - All clippy lints resolved
- Comprehensive Tests - Unit tests for all parsers
- Documentation - Inline documentation for all public APIs
Contributions are welcome! Please follow these guidelines:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- Follow Rust naming conventions
- Add tests for new features
- Update documentation
- Ensure
cargo clippypasses - Format code with
cargo fmt
MIT License
Copyright (c) 2025 Chronocoder
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Chronocoder
- Blockchain & Systems Developer
- GitHub: @ChronoCoders
- Npcap - Windows packet capture library
- libpcap - Unix packet capture library
- Axum - High-performance web framework
- Leptos - Reactive Rust web framework
- Tokio - Async runtime for Rust
- Rust Community - For the amazing language and ecosystem
- RFC 791 - Internet Protocol
- RFC 793 - Transmission Control Protocol
- RFC 768 - User Datagram Protocol
- RFC 1035 - Domain Names
- RFC 2616 - HTTP/1.1
- PCAP File Format
- PCAP-NG Specification
Made with β€οΈ and π¦ Rust