// the find
domcyrus/rustnet
Per-process network monitoring for your terminal with deep packet inspection. Cross-platform, sandboxed.
RustNet is a terminal network monitor that shows live TCP/UDP/QUIC connections mapped to the process that owns them — something netstat and Wireshark both fail at in different ways. It does this via eBPF on Linux, PKTAP on macOS, and native APIs on Windows/FreeBSD, with DPI layered on top to identify protocols without external dissectors. Target audience is developers and sysadmins who want to quickly answer 'what is this process phoning home to and why.'
The per-process attribution via eBPF is genuinely the right approach — procfs polling is racy and misses short-lived connections, so kernel-level socket tracking is the correct fix. The DPI coverage is unusually wide: QUIC, MQTT, BitTorrent, STUN, mDNS, and DHCP are not things most similar tools bother with. Sandboxing (Landlock on Linux, Seatbelt on macOS, privilege drop on Windows) is on by default rather than opt-in, which is the right call for a tool that requires raw packet access. The workspace is split into rustnet-core, rustnet-capture, and rustnet-host crates, which means the platform-specific eBPF/PKTAP code doesn't bleed into the DPI logic.
The eBPF comm field truncation at 16 characters is a real UX problem, not just a footnote — seeing 'Isolated Web Co' when you're trying to track Firefox traffic is confusing enough that users will blame the tool. The MaxMind GeoLite2 database ships as a static asset, so there's no mechanism described for keeping it current; GeoIP data that's six months stale gives you wrong country lookups without any indication something is wrong. The '--pcap-export plus pcap_enrich.py' workflow for getting process attribution into Wireshark is documented but clearly a rough edge — a Python script in scripts/ suggests it was bolted on rather than designed. On Windows you still need Npcap installed separately with a specific compatibility flag, which is an installation footgun that will stop a meaningful fraction of Windows users before they see a single packet.