- Add --pcap-export flag to stream packets to PCAP file
- Write connection metadata (PID, process, timestamps) to JSONL sidecar
- Include Python script for enriching PCAP with process info
- Update documentation with usage examples and workflow
* feat: add Landlock sandbox and capability dropping for Linux
- Restrict filesystem access to /proc only after initialization
- Block TCP bind/connect on kernel 6.4+ (network sandbox)
- Drop CAP_NET_RAW after pcap handle opened
- Add --no-sandbox and --sandbox-strict CLI options
- Show privilege info on non-Linux platforms in UI
- Add SECURITY.md documentation
* fix: remove unused set_sandbox_info and hide Landlock line on non-Linux
* fix: gate SandboxInfo to Linux only to fix clippy warnings
* fix: add is_admin() function for Windows builds
The Windows build was failing because ui.rs called crate::is_admin()
but the function didn't exist. Added the implementation using Windows
Security API to check if the process has elevated privileges.
Also added Win32_Security feature to windows crate dependencies.
* fix: add is_admin() to main.rs for Windows binary crate
The previous fix added is_admin() to lib.rs but ui.rs is compiled
as part of the binary crate (main.rs), not the library crate.
Added the function to main.rs so crate::is_admin() resolves correctly.
* feat: reorganize platform code into per-platform directories
- Move platform files into linux/, macos/, windows/, freebsd/ subdirectories
- Unify create_process_lookup() API with _use_pktap parameter across all platforms
- Update build.rs paths for eBPF program location
- Reduce cfg attributes in main mod.rs from ~42 to 8
* fix: widen tolerance for test_sliding_window_no_skip_first_sample
Increase acceptable range from 9000-11000 to 5000-15000 to account
for timing variability on macOS ARM CI runners.
* docs: update Linux build dependencies and remove EBPF_BUILD.md
- Add missing build-essential, pkg-config, zlib1g-dev to documentation
- Update rust.yml CI with complete dependencies
- Remove EBPF_BUILD.md (info already in INSTALL.md)
- Update references in README.md and ARCHITECTURE.md
Remove CAP_NET_ADMIN requirement and eliminate need for CAP_SYS_ADMIN on
modern kernels by using non-promiscuous mode for packet capture. This
significantly reduces security surface by following principle of least privilege.
Split large README.md (1101 lines) into separate documentation files
for better organization and maintainability:
- README.md: condensed to 233 lines with quick start and overview
- INSTALL.md: complete installation guide and permissions setup
- USAGE.md: detailed usage guide with filtering and sorting
- ARCHITECTURE.md: technical details and platform implementations
- EBPF_BUILD.md: updated references to new INSTALL.md structure
Added collapsible sections in README for optional details and
included "Documentation Moved" section for backward compatibility
with external links.
Marco Cadetg