Crate retina_core
source ·Expand description
An ergonomic framework for high speed network traffic analysis on commodity hardware.
Retina provides a simple filter and callback interface that lets users subscribe to network traffic in real-time and run user-defined analysis code in a standard software environment. It is a passive analysis framework that supports access to network traffic at one of three abstraction levels:
- Individual packets
- Reassembled connections
- Parsed application-layer sessions
Retina is designed with a focus on performance in real-world, high-volume network environments (e.g., full-network or full-uplink analysis). It employs an efficient filtering mechanism to discard out-of-scope traffic, and is not specifically geared towards deep inspection of all packets (although it can be customized to do so). See retina_filtergen for filter syntax and usage.
The framework currently comes with built-in support for several subscribable types. Additional modules are welcome and encouraged.
The following example shows a simple Retina application that prints parsed TLS handshakes to stdout:
use retina_core::config::default_config;
use retina_core::subscription::TlsHandshake;
use retina_core::Runtime;
use retina_filtergen::filter;
#[filter("tls.sni ~ '^.*\\.com$'")]
fn main() {
let cfg = default_config();
let callback = |tls: TlsHandshake| {
println!("{:?}", tls);
};
let mut runtime = Runtime::new(cfg, filter, callback).unwrap();
runtime.run();
}
Modules
- Configuration options.
- Protocol parsing and manipulation.
- Subscribable data types.
- Utility modules.
Structs
- A generic connection identifier.
- Connection 5-tuple.
- A packet buffer.
- The Retina runtime.
Functions
- Returns the application thread ID of the execution unit.
- Reads the timestamp counter (TSC) register.