A cross-platform network monitoring tool built with Rust. RustNet provides real-time visibility into network connections with detailed state information, connection lifecycle management, deep packet inspection, and a terminal user interface.
- Real-time Network Monitoring: Monitor active TCP, UDP, ICMP, and ARP connections with detailed state information
- Connection States: Track TCP states (
ESTABLISHED,SYN_SENT,TIME_WAIT), QUIC states (QUIC_INITIAL,QUIC_HANDSHAKE,QUIC_CONNECTED), DNS states, SSH states, and activity-based UDP states - Deep Packet Inspection (DPI): Detect application protocols including HTTP, HTTPS/TLS with SNI, DNS, SSH with version detection, and QUIC with CONNECTION_CLOSE frame detection
- Smart Connection Lifecycle: Protocol-aware timeouts with visual staleness indicators (white → yellow → red) before cleanup
- Process Identification: Associate network connections with running processes
- Service Name Resolution: Identify well-known services using port numbers
- Cross-platform Support: Works on Linux, macOS, Windows, and FreeBSD
- Advanced Filtering: Real-time vim/fzf-style filtering with keyword support (
port:,src:,dst:,sni:,process:,state:) - Terminal User Interface: Beautiful TUI built with ratatui with adjustable column widths
- Multi-threaded Processing: Concurrent packet processing for high performance
- Optional Logging: Detailed logging with configurable log levels (disabled by default)
eBPF Enhanced Process Identification (Linux Default)
RustNet uses kernel eBPF programs by default on Linux for enhanced performance and lower overhead process identification. However, this comes with important limitations:
Process Name Limitations:
- eBPF uses the kernel's
commfield, which is limited to 16 characters - Shows the task/thread command name, not the full executable path
- Multi-threaded applications often show thread names instead of the main process name
Real-world Examples:
- Firefox: May appear as "Socket Thread", "Web Content", "Isolated Web Co", or "MainThread"
- Chrome: May appear as "ThreadPoolForeg", "Chrome_IOThread", "BrokerProcess", or "SandboxHelper"
- Electron apps: Often show as "electron", "node", or internal thread names
- System processes: Show truncated names like "systemd-resolve" → "systemd-resolve"
Fallback Behavior:
- When eBPF fails to load or lacks sufficient permissions, RustNet automatically falls back to standard procfs-based process identification
- Standard mode provides full process names but with higher CPU overhead
- eBPF is enabled by default; no special build flags needed
To disable eBPF and use procfs-only mode, build with:
cargo build --release --no-default-featuresSee EBPF_BUILD.md for more details and ARCHITECTURE.md for technical information.
Homebrew (macOS / Linux):
brew tap domcyrus/rustnet
brew install rustnetUbuntu (25.10+):
sudo add-apt-repository ppa:domcyrus/rustnet
sudo apt update && sudo apt install rustnetFedora (42+):
sudo dnf copr enable domcyrus/rustnet
sudo dnf install rustnetArch Linux (AUR):
yay -S rustnetFrom crates.io:
cargo install rustnet-monitorOther platforms:
- Windows/FreeBSD: Download installers from GitHub Releases
- Docker, source builds, other Linux distros: See INSTALL.md for detailed instructions
Packet capture requires elevated privileges:
# Quick start (all platforms)
sudo rustnet
# Linux: Grant capabilities to run without sudo (recommended)
sudo setcap 'cap_net_raw,cap_bpf,cap_perfmon=eip' $(which rustnet)
rustnetCommon options:
rustnet -i eth0 # Specify network interface
rustnet --show-localhost # Show localhost connections
rustnet -r 500 # Set refresh interval (ms)See INSTALL.md for detailed permission setup and USAGE.md for complete options.
| Key | Action |
|---|---|
q |
Quit (press twice to confirm) |
Ctrl+C |
Quit immediately |
Tab |
Switch between tabs |
↑/k ↓/j |
Navigate up/down |
g G |
Jump to first/last connection |
Enter |
View connection details |
Esc |
Go back or clear filter |
c |
Copy remote address |
p |
Toggle service names/ports |
s S |
Cycle sort columns / toggle direction |
/ |
Enter filter mode |
h |
Toggle help |
See USAGE.md for detailed keyboard controls and navigation tips.
Quick filtering examples:
/google # Search for "google" anywhere
/port:443 # Filter by port
/process:firefox # Filter by process
/state:established # Filter by connection state
/dport:443 sni:github.com # Combine filters
Sorting:
- Press
sto cycle through sortable columns (Protocol, Address, State, Service, Bandwidth, Process) - Press
S(Shift+s) to toggle sort direction - Find bandwidth hogs: Press
suntil "Down/Up ↓" appears (sorts by combined up+down speed)
See USAGE.md for complete filtering syntax and sorting guide.
Advanced Filtering Examples
Keyword filters:
port:44- Ports containing "44" (443, 8080, 4433)sport:80- Source ports containing "80"dport:443- Destination ports containing "443"src:192.168- Source IPs containing "192.168"dst:github.com- Destinations containing "github.com"process:ssh- Process names containing "ssh"sni:api- SNI hostnames containing "api"ssh:openssh- SSH connections using OpenSSHstate:established- Filter by protocol stateproto:tcp- Filter by protocol type
State filtering:
state:syn_recv- Half-open connections (SYN flood detection)state:established- Established connections onlystate:quic_connected- Active QUIC connectionsstate:dns_query- DNS query connections
Combined examples:
sport:80 process:nginx- Nginx connections from port 80dport:443 sni:google.com- HTTPS to Googleprocess:firefox state:quic_connected- Firefox QUIC connectionsdport:22 ssh:openssh state:established- Established OpenSSH connections
Connection Lifecycle & Visual Indicators
RustNet uses smart timeouts and visual warnings before removing connections:
Visual staleness indicators:
- White: Active (< 75% of timeout)
- Yellow: Stale (75-90% of timeout)
- Red: Critical (> 90% of timeout)
Protocol-aware timeouts:
- HTTP/HTTPS: 10 minutes (supports keep-alive)
- SSH: 30 minutes (long sessions)
- TCP active: 10 minutes, idle: 5 minutes
- QUIC active: 10 minutes, idle: 5 minutes
- DNS: 30 seconds
- TCP CLOSED: 5 seconds
Example: An HTTP connection turns yellow at 7.5 min, red at 9 min, and is removed at 10 min.
See USAGE.md for complete timeout details.
- INSTALL.md - Detailed installation instructions for all platforms, permission setup, and troubleshooting
- USAGE.md - Complete usage guide including command-line options, filtering, sorting, and logging
- ARCHITECTURE.md - Technical architecture, platform implementations, and performance details
- PROFILING.md - Performance profiling guide with flamegraph setup and optimization tips
- ROADMAP.md - Planned features and future improvements
- RELEASE.md - Release process for maintainers
- EBPF_BUILD.md - eBPF build instructions and requirements
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
See CONTRIBUTORS.md for a list of people who have contributed to this project.
This project is licensed under the Apache License, Version 2.0 - see the LICENSE file for details.
- Built with ratatui for the terminal UI
- Packet capture powered by libpcap
- Inspired by tools like
tshark/wireshark/tcpdump,sniffnet,netstat,ss, andiftop - Some code is vibe coded (OMG) / may the LLM gods be with you
Some sections have been moved to dedicated files for better organization:
- Permissions Setup: Now in INSTALL.md - Permissions Setup
- Installation Instructions: Now in INSTALL.md
- Detailed Usage: Now in USAGE.md
- Architecture Details: Now in ARCHITECTURE.md