Expand description
An ergonomic framework for high speed network traffic analysis on commodity hardware.
Retina provides a simple filter and callback interface that lets users subscribe to network traffic in real-time and run user-defined analysis code in a standard software environment. It is a passive analysis framework that supports access to network traffic at one of three abstraction levels:
- Individual packets
- Reassembled connections
- Parsed application-layer sessions
Retina is designed with a focus on performance in real-world, high-volume network environments (e.g., full-network or full-uplink analysis). It employs an efficient filtering mechanism to discard out-of-scope traffic, and is not specifically geared towards deep inspection of all packets (although it can be customized to do so). See retina_filtergen for filter syntax and usage.
The framework currently comes with built-in support for several subscribable types. Additional modules are welcome and encouraged.
The following example shows a simple Retina application that prints parsed TLS handshakes to stdout:
use retina_core::config::default_config;
use retina_core::subscription::TlsHandshake;
use retina_core::Runtime;
use retina_filtergen::filter;
#[filter("tls.sni ~ '^.*\\.com$'")]
fn main() {
let cfg = default_config();
let callback = |tls: TlsHandshake| {
println!("{:?}", tls);
};
let mut runtime = Runtime::new(cfg, filter, callback).unwrap();
runtime.run();
}Modules§
- config
- Configuration options.
- protocols
- Protocol parsing and manipulation.
- subscription
- Subscribable data types.
- utils
- Utility modules.
Structs§
- ConnId
- A generic connection identifier.
- Five
Tuple - Connection 5-tuple.
- Mbuf
- A packet buffer.
- Runtime
- The Retina runtime.
Functions§
- rte_
lcore_ ⚠id - Returns the application thread ID of the execution unit.
- rte_
rdtsc ⚠ - Reads the timestamp counter (TSC) register.