NetFlow - Real-time Network Traffic Analyzer

A high-performance Linux CLI/TUI application that monitors network traffic in real-time, showing active connections, bandwidth usage per application, and traffic visualization. Built with Rust for maximum performance and memory safety.

Features

Core Capabilities

• Real-time Packet Capture: Captures all network packets using libpcap with BPF filter support
• Protocol Parsing: Full support for TCP, UDP, ICMP over IPv4 and IPv6
• Process Association: Maps network connections to running processes using /proc filesystem
• Bandwidth Tracking: Real-time bandwidth calculation per connection and per process
• Terminal UI: Beautiful, interactive TUI with multiple views

Views

• Overview: System-wide statistics including total bandwidth, active connections, packet counts
• Process View: List of processes sorted by bandwidth usage, connection count, or name
• Connection View: Detailed list of all active network connections with process mapping

Advanced Features

• Filtering: Filter traffic by process name, PID, port, protocol, or IP range
• Data Export: Export snapshots to JSON or CSV for analysis
• Real-time Updates: Configurable refresh interval for live monitoring
• Low Overhead: Efficient packet processing with minimal system impact

Prerequisites

System Requirements

• Operating System: Linux (kernel 2.6+)
• Architecture: x86_64, ARM64
• Privileges: Root access or CAP_NET_RAW capability

Dependencies

• Rust: 1.70 or later
• libpcap: Development headers

Installing Dependencies

Debian/Ubuntu:

sudo apt-get update
sudo apt-get install libpcap-dev build-essential

Fedora/RHEL/CentOS:

sudo dnf install libpcap-devel gcc

Arch Linux:

sudo pacman -S libpcap base-devel

Installation

From Source

1. Clone the repository:

git clone https://github.com/yourusername/Real-Time-Network-Analyzer.git
cd Real-Time-Network-Analyzer

2. Build the project:

cargo build --release

3. Install the binary:

sudo cp target/release/netflow /usr/local/bin/

4. Set capabilities (optional, to run without sudo):

sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bin/netflow

Usage

Basic Usage

Run with default settings (requires root):

sudo netflow

Command-Line Options

NetFlow - Real-time Network Traffic Analyzer

Usage: netflow [OPTIONS]

Options:
  -i, --interface <INTERFACE>  Network interface to monitor (e.g., eth0, wlan0)
  -p, --promiscuous           Enable promiscuous mode
  -f, --filter <FILTER>       BPF filter expression
  -e, --export <FILE>         Export to file (JSON or CSV)
  -r, --refresh <MS>          Refresh interval in milliseconds [default: 1000]
  -d, --debug                 Enable debug logging
  -h, --help                  Print help
  -V, --version               Print version

Examples

Monitor specific interface:

sudo netflow -i eth0

Monitor with BPF filter (only HTTPS traffic):

sudo netflow -f "tcp port 443"

Export snapshot after 60 seconds:

sudo netflow -e /tmp/traffic.json

Monitor with faster refresh rate:

sudo netflow -r 500

Debug mode:

sudo netflow -d

Keyboard Controls

When running in TUI mode:

Key	Action
Tab	Next tab
Shift+Tab	Previous tab
↑ / ↓	Navigate lists
b	Sort by bandwidth
n	Sort by name
c	Sort by connection count
q	Quit

Architecture

Project Structure

netflow/
├── src/
│   ├── capture/       # Packet capture using libpcap
│   ├── parser/        # Protocol parsers (TCP/UDP/ICMP)
│   ├── process/       # Process-to-socket mapping
│   ├── aggregator/    # Traffic statistics & state management
│   ├── ui/            # Terminal UI with ratatui
│   ├── filter/        # Traffic filtering engine
│   ├── export/        # JSON/CSV export
│   └── main.rs        # Application entry point
├── Cargo.toml
└── README.md

Data Flow

Raw Packets (libpcap)
    ↓
Protocol Parser (Ethernet → IP → TCP/UDP)
    ↓
Connection Tracker (5-tuple)
    ↓
Process Resolver (/proc/net/tcp, /proc/{pid}/fd)
    ↓
Traffic Aggregator (bandwidth calculation)
    ↓
Terminal UI / Export

How It Works

1. Packet Capture: Uses libpcap to capture raw packets from network interface
2. Parsing: Extracts connection information (5-tuple: src_ip, src_port, dst_ip, dst_port, protocol)
3. Process Mapping:
   • Reads /proc/net/tcp and /proc/net/udp to get socket inodes
   • Scans /proc/{pid}/fd/ to map inodes to PIDs
   • Retrieves process names from /proc/{pid}/stat
4. Aggregation: Calculates bandwidth over time windows (1s, 5s)
5. Display: Updates TUI with real-time statistics

Performance

• Packet Processing: ~100K packets/second on modern hardware
• Memory Usage: ~50MB base + ~1KB per active connection
• CPU Usage: ~5-10% on single core at moderate traffic levels

Limitations

• Linux Only: Uses Linux-specific /proc filesystem
• Root Required: Packet capture requires elevated privileges
• Local System Only: Cannot monitor remote systems directly
• Short-lived Connections: May miss very brief connections (< 1 second)

Troubleshooting

Permission Denied

Error: Failed to open capture device

Solution: Run with sudo or set capabilities:

sudo setcap cap_net_raw,cap_net_admin=eip /path/to/netflow

No Packets Captured

Active Connections: 0

Solution:

• Verify interface is correct: ip link show
• Check for existing BPF filters
• Ensure traffic is actually flowing

Process Names Show as "Unknown"

Solution:

• Some processes may restrict /proc access
• Short-lived connections may close before process is resolved
• Try running with higher privileges

High CPU Usage

Solution:

• Increase refresh interval: -r 2000
• Apply BPF filter to reduce packet volume
• Ensure release build: cargo build --release

Development

Building from Source

# Debug build
cargo build

# Release build (optimized)
cargo build --release

# Run tests
cargo test

# Run with logging
RUST_LOG=debug cargo run -- -d

Adding Features

The codebase is modular and extensible:

• New protocols: Extend parser/mod.rs
• Additional filters: Add to filter/mod.rs
• Export formats: Implement in export/mod.rs
• UI improvements: Modify ui/mod.rs

Roadmap

• GeoIP integration for location mapping
• Real-time graphs and sparklines
• DNS resolution for remote addresses
• Historical data analysis
• Alert system for unusual traffic
• Web dashboard
• Docker container support
• Packet capture file (pcap) analysis mode

Contributing

Contributions are welcome! Please:

1. Fork the repository
2. Create a feature branch
3. Make your changes with tests
4. Submit a pull request

License

This project is licensed under the MIT License - see LICENSE file for details.

Acknowledgments

• Built with libpcap for packet capture
• UI powered by ratatui
• Inspired by iftop, nethogs, and bandwhich

Security

This tool requires elevated privileges to capture network traffic. Always:

• Review the source code before running
• Only monitor networks you own or have permission to monitor
• Be aware that packet capture can expose sensitive data
• Use appropriate filtering to minimize privacy concerns

Support

For bugs, feature requests, or questions:

• Open an issue on GitHub
• Check existing issues for solutions
• Include debug output when reporting problems

---

Note: This is a monitoring tool for legitimate network analysis. Unauthorized network monitoring may be illegal in your jurisdiction.