Crate retina_core

An ergonomic framework for high speed network traffic analysis on commodity hardware.

Retina provides a simple filter and callback interface that lets users subscribe to network traffic in real-time and run user-defined analysis code in a standard software environment. It is a passive analysis framework that supports access to network traffic at one of three abstraction levels:

• Individual packets
• Reassembled connections
• Parsed application-layer sessions

Retina is designed with a focus on performance in real-world, high-volume network environments (e.g., full-network or full-uplink analysis). It employs an efficient filtering mechanism to discard out-of-scope traffic, and is not specifically geared towards deep inspection of all packets (although it can be customized to do so). See retina_filtergen for filter syntax and usage.

The framework currently comes with built-in support for several subscribable types. Additional modules are welcome and encouraged.

The following example shows a simple Retina application that prints parsed TLS handshakes to stdout:

use retina_core::config::default_config;
use retina_core::subscription::TlsHandshake;
use retina_core::Runtime;
use retina_filtergen::filter;

#[filter("tls.sni ~ '^.*\\.com$'")]
fn main() {
    let cfg = default_config();
    let callback = |tls: TlsHandshake| {
        println!("{:?}", tls);
    };
    let mut runtime = Runtime::new(cfg, filter, callback).unwrap();
    runtime.run();
}

Modules

• config
  Configuration options.
• protocols
  Protocol parsing and manipulation.
• subscription
  Subscribable data types.
• utils
  Utility modules.

Structs

• ConnId
  A generic connection identifier.
• FiveTuple
  Connection 5-tuple.
• Mbuf
  A packet buffer.
• Runtime
  The Retina runtime.

Functions

• rte_lcore_id^⚠
  Returns the application thread ID of the execution unit.
• rte_rdtsc^⚠
  Reads the timestamp counter (TSC) register.