The headline of this release is a major TUI refresh. The tabs, stats panel, and details view have all been redesigned, with new per-field colors, a status dot, and address scope labels making it easier to read connections at a glance.

Added

• TUI Revamp: Redesigned tabs, stats panel, and details view (#239)
• Per-field Colors and Status Dot: New per-field colors, status dot, and magenta panel borders for at-a-glance readability (#241)
• Address Scope Labels: Remote addresses are tagged PUBLIC, PRIVATE, etc. in the connection list (#251)
• Reverse DNS Resolution by Default: Reverse DNS resolution is now enabled by default. Use the new --no-resolve-dns flag to opt out (#245)

Fixed

• Sandbox Info on Overview: Show the full sandbox details on the overview tab (#250)
• Search Scope and Status Bars: Scope the / search to Overview and tidy the status bars (#229, #230)
• QUIC Initial Packet Parser: Bounds-check token_len in the Initial packet parser (#244)
• QUIC Varint Parser: Bounds-check varint lengths and isolate parser panics (#232)
• Release Pipeline: Fix the downstream trigger race and AUR token permissions (#223)

Changed

• Demo Recording Automation: Automate VHS recording for the demo GIF and README screenshots (#247)
• OUI Vendor Database: Refreshed IEEE OUI vendor database (#242)
• Dependencies: Bumped rand (0.8.5 to 0.8.6), openssl (0.10.75 to 0.10.78), zip, libbpf-cargo, and other rust-dependencies and actions group updates (#224, #225, #226, #227, #231, #233, #234, #238, #240, #243)

Documentation

• Windows Sandbox Terminology: Accurate Windows sandbox terminology and roadmap entry (#237)
• README Polish: README hero polish, metadata tune-up, and accuracy fixes (#236)
• Crate and Module Docs: Expanded crate and module docs and tuned metadata for discoverability (#235)

Added

• Windows Restricted Token Sandbox: Drop privileges at startup on Windows using a restricted process token (#206)
• macOS Seatbelt Sandboxing: Apply a Seatbelt sandbox profile at startup on macOS, later tightened to restrict filesystem and IPC access (#196, #203)
• Linux Sandbox Hardening: Drop Linux capabilities and clear the ambient capability set after startup (#208)
• Process Privilege in UI: Show whether a process is privileged in the security section of the TUI (#197)
• Filter: Exact Port Matching and Regex Support: Filter syntax supports exact port matches and regex patterns (#195)
• VLAN Support in PKTAP and SLL/SLL2: Parse VLAN tags in PKTAP and SLL/SLL2 capture formats (#202)
• VLAN Header in Layer 3 Extraction: Account for VLAN headers when extracting layer 3 data (#199, thanks @deepakpjose)
• IGMP Protocol Parsing: Recognize and parse IGMP traffic (#209, thanks @deepakpjose)
• Process Name for Wildcard /proc/net/ Entries: Resolve process names for wildcard (0.0.0.0/::) entries in /proc/net/ (#218, thanks @deepakpjose)
• CI Supply-Chain Hardening: Pin GitHub Actions to commit SHAs and verify Npcap installer checksums (#210)
• Architecture Roadmap: Added workspace split and macOS privilege separation roadmap docs (#211)

Fixed

• Default Interface Selection: Use the active routing table to pick the default interface (#194, thanks @l1a)
• Root Detection on Unix: Use geteuid() instead of getuid() to detect root (#192, thanks @DeepChirp)
• Release Pipeline Reliability: Improved release workflow reliability, gated downstream jobs on publish-release, added checksum verification to AUR updates, and documented the no-retag policy (2a38f2d, 795f7a1, 002eb55, 8403a0f)
• FreeBSD CI Dispatch: Restrict FreeBSD dispatch to manual triggers only (#201)

Changed

• CPU Efficiency Improvements: Substantial reductions in CPU usage across hot paths — rate calculation moved from per-update to per-refresh (#220), timeouts avoided to improve CPU performance (#213), threads given meaningful names to aid profiling (#212), and allocations reduced in sorting and snapshot paths (#222). Big thanks to @deepakpjose for driving the CPU-efficiency work (#213, #220, #212) — these changes make RustNet noticeably lighter on the CPU.
• FreeBSD Platform Cleanup: Refactored FreeBSD platform support code (#205)
• Dependencies: Bumped zip (8.2.0 → 8.3.0 → 8.5.0), clap_mangen, docker/login-action, and other rust-dependencies group updates (#198, #200, #214, #216, #219, #221)
• OUI Vendor Database: Refreshed IEEE OUI vendor database (#215)

Contributors

Special thanks to the external contributors in this release:

• @deepakpjose — CPU-efficiency improvements and additional features (#199, #209, #212, #213, #218, #220)
• @l1a — default interface selection via active routing table (#194)
• @DeepChirp — Unix root detection via geteuid() (#192)

Added

• OUI Vendor Lookup for ARP: Display MAC vendor names for ARP connections using IEEE OUI database (#183)
• Historic Connections Toggle: Toggle to show/hide historic (closed) connections (#184)
• Mouse Support: Mouse interaction support for TUI navigation (#170)
• Security Hardening & Packet Stats: Enhanced security hardening and packet statistics display in TUI (#169)
• GeoIP City Lookup: Show city-level geolocation for remote IPs using GeoLite2 City database (#168)
• Android Build Support: Native Android builds with static musl linking (#167)
• Multi-Arch Android Builds: Added armv7, x86_64, and x86 Android static build targets
• MQTT Protocol Detection: Deep packet inspection for MQTT protocol traffic (#161)
• STUN Traffic Detection: Detect STUN protocol traffic per RFC 5389/8489 (#160)
• BitTorrent Traffic Detection: Detect BitTorrent protocol traffic (#159)
• ARP Performance Benchmarks: Added criterion benchmarks for ARP-related operations (#188)

Fixed

• Undefined Behavior Fix: Fix UB issues, remove clippy suppressions, add safety documentation (#187)
• Light Terminal Readability: Fix selection highlight unreadable on light terminal themes (#182)
• Clipboard Warning: Fix unused variable warning in copy_to_clipboard across platforms (#178)
• Android Cross-Compilation: Fix cross-compilation and release upload issues for Android targets (#174)
• MQTT Detection Accuracy: Restrict MQTT signature detection to CONNECT packets only (#164)

Changed

• Documentation: Synced docs with implementation, added missing keyboard shortcuts (#190, #157)
• CI/CD: Staged release pipeline so downstream jobs wait for builds (#154), added FreeBSD coverage to PR builds (#158)
• Dependencies: Bumped chrono, http_req, zip, and various rust-dependencies groups

Added

• GeoIP Location Support: Show country codes for remote IPs using GeoLite2 databases with auto-discovery (#151)
• PCAP Export with Process Attribution: Export captured packets to PCAP files with a process attribution JSONL sidecar for Wireshark enrichment (#137)
• eBPF-based ICMP PID Tracking: Track process IDs for ICMP connections using eBPF on Linux (#136)
• Process Detection Degradation Warnings: Show warnings in the UI when process detection falls back to a less accurate method (#128)
• ARM64 Musl Static Builds: CI now produces arm64 musl static Linux builds with eBPF support

Fixed

• Service Name Precedence: Corrected ordering when multiple service name sources conflict (#150)
• Pointer Dereference Safety: Use as_ref() for safer pointer dereference in macOS/FreeBSD interface stats (#147)
• Clippy Warnings: Resolve unnecessary_unwrap errors flagged by clippy (#144)
• ICMP Dead Code: Remove dead code warning in ICMP handling (#138)
• GitHub Actions Permissions: Add explicit permissions to all GitHub Actions workflows (#131)
• Logging Initialization: Set up logging level before privileges check for earlier diagnostic output (#143)

Changed

• SSH Heuristic Tightened: Tighten SSH packet structure heuristic to reduce false positives (#135)
• CI Reusable Workflows: Share build logic via reusable workflow, remove redundant test-static-builds workflow
• Chocolatey Automation: Trigger Chocolatey package publish on release automatically
• Code Alignment: Refactoring and code alignment improvements (#149)
• Dependencies: Updated libbpf-rs to 0.26, bumped clap, time, zip, lru, and libc
• Documentation: Clarified RustNet vs Wireshark positioning, added PowerShell font troubleshooting, added JSON logging to feature comparison, added bandwhich to acknowledgments (#129, #130, #132, #133)

Added

• Process Grouping: Expandable tree view to group connections by process (a to toggle grouping, Space to expand/collapse)
• Traffic Visualization Graph Tab: New Graph tab with real-time network traffic graphs and bandwidth visualization (press Tab to cycle through tabs)
• Network Health Visualization: Health indicators in Graph tab showing connection quality metrics
• Reverse DNS Hostnames: Display reverse DNS names in Details tab and filter PTR traffic (--resolve-dns to enable, d to toggle display)
• BPF Filter Support: New --bpf-filter option for custom packet capture filtering (e.g., --bpf-filter "port 443")
• Clear All Connections: New hotkey (x) to clear all tracked connections
• Enhanced JSON Logging: Added pid, process_name, service_name fields to JSON log output
• New DPI Protocols: NTP, mDNS, LLMNR, DHCP, SNMP, SSDP, NetBIOS protocol detection with enhanced ARP display
• Static Musl Builds: Linux static binary builds using musl for better portability
• Platform-Specific Help: CLI help now shows platform-specific options

Fixed

• macOS BPF Filter: Skip PKTAP when BPF filter is specified to avoid conflicts
• Linux Clipboard: Handle clipboard access blocked by Landlock sandbox gracefully
• Interface Stats: Use safer pointer dereference in interface statistics

Changed

• FreeBSD Builds: Moved to separate rustnet-bsd repository for native builds
• CI Improvements: Homebrew formula auto-update on release, AUR workflow on publish
• Dependencies: Updated ratatui to 0.30.0, various dependency updates
• Documentation: Added contribution guidelines, Chocolatey and Arch Linux installation instructions

Added

• Landlock Sandbox for Linux: Filesystem and network sandboxing for enhanced security
  • Restricts filesystem access to /proc only after initialization
  • Network sandbox blocks TCP bind/connect on kernel 6.4+
  • Drops CAP_NET_RAW capability after pcap handle is opened
  • New CLI options: --no-sandbox and --sandbox-strict
  • Comprehensive security documentation in SECURITY.md
• eBPF Thread Name Resolution: Resolve eBPF thread names (e.g., 'Socket Thread') to main process names (e.g., 'firefox')
  • Uses periodic procfs PID cache for resolution
  • Falls back to eBPF name for short-lived processes
• AUR Package Automation: Automated Arch Linux AUR package publishing workflow

Changed

• Platform Code Reorganization: Restructured platform-specific code into cleaner module hierarchy
  • src/network/platform/linux/ - Linux-specific code with eBPF and sandbox subdirectories
  • src/network/platform/macos/ - macOS-specific code
  • src/network/platform/freebsd/ - FreeBSD-specific code
  • src/network/platform/windows/ - Windows-specific code
• QUIC DPI Simplification: Unified SNI extraction helpers and simplified QUIC protocol handling

Fixed

• Test Determinism: Made RateTracker tests deterministic with injectable timestamps

What's Changed

• feat: reorganize platform code into per-platform directories by @domcyrus in #81
• chore(deps): bump vmactions/freebsd-vm from 1.2.7 to 1.2.8 in the actions group by @dependabot[bot] in #82
• chore(deps): bump pcap from 2.3.0 to 2.4.0 in the rust-dependencies group by @dependabot[bot] in #83
• refactor: simplify QUIC DPI and reorganize platform code by @domcyrus in #84
• fix: make RateTracker tests deterministic with injectable timestamps by @domcyrus in #85
• feat: add Landlock sandbox and capability dropping for Linux by @domcyrus in #86
• fix(linux): resolve eBPF thread names to main process names by @domcyrus in #87

Full Changelog: v0.16.1...v0.17.0

Added

• Network Interface Statistics: Real-time monitoring of network interface statistics across all platforms
  • Cross-platform support for Linux, macOS, Windows, and FreeBSD
  • Display of interface-level metrics including packets sent/received, bytes transferred, and errors
  • Platform-specific implementations optimized for each operating system
  • New interface statistics module with dedicated platform handlers
  • TCP network analytics 🎉 :)

Fixed

• Cross-Compilation: Fixed eBPF build issues when cross-compiling to non-Linux platforms
  • Made libbpf-cargo an optional build dependency
  • Fixed build.rs to check TARGET environment variable instead of host platform
  • Prevents Linux-specific dependencies from being built for FreeBSD, macOS, and Windows
• FreeBSD Build: Switched from cross-compilation to native FreeBSD VM builds
  • Uses vmactions/freebsd-vm for native FreeBSD compilation
  • Eliminates cross-compilation sysroot and library linking issues
  • Ensures FreeBSD builds work reliably with native package manager

Full Changelog: v0.16.0...v0.16.1

Added

• Ubuntu PPA Packaging: Official Ubuntu PPA repository for easy installation on Ubuntu/Debian-based distributions
  • Automated GitHub Actions workflow for PPA releases
  • Support for multiple Ubuntu versions

Changed

• Bandwidth Sorting: Changed bandwidth sorting to use combined up+down total instead of separate up/down sorting
  • Simpler sorting behavior: press s once to sort by total bandwidth
  • Display still shows "Down/Up" with individual values
  • Arrow indicator shows when sorting by combined bandwidth total
• Packet Capture Permissions: Removed CAP_NET_ADMIN and CAP_SYS_ADMIN requirements
  • Uses read-only packet capture (non-promiscuous mode)
  • Reduced security footprint with minimal required capabilities

Fixed

• Bandwidth Rate Tracking: Improved accuracy and stability of bandwidth rate calculations
  • More consistent rate measurements
  • Better handling of network traffic bursts

What's Changed

• Add Ubuntu PPA packaging support by @domcyrus in #47
• docs: add Ubuntu PPA and Fedora COPR installation instructions by @domcyrus in #48
• chore(deps): bump libc from 0.2.176 to 0.2.177 by @dependabot[bot] in #57
• chore(deps): bump clap_mangen from 0.2.29 to 0.2.30 by @dependabot[bot] in #56
• chore(deps): bump clap from 4.5.48 to 4.5.49 by @dependabot[bot] in #55
• chore(deps): bump clap_complete from 4.5.58 to 4.5.59 by @dependabot[bot] in #54
• chore(deps): bump zip from 5.1.1 to 6.0.0 by @dependabot[bot] in #53
• chore(deps): bump actions/attest-build-provenance from 1 to 3 by @dependabot[bot] in #52
• chore(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #51
• chore(deps): bump docker/build-push-action from 5 to 6 by @dependabot[bot] in #50
• chore(deps): bump actions/download-artifact from 4 to 5 by @dependabot[bot] in #49
• chore(deps): bump windows from 0.61.3 to 0.62.2 by @dependabot[bot] in #58
• feat: remove CAP_NET_ADMIN and CAP_SYS_ADMIN, use read-only packet capture by @domcyrus in #59
• chore(deps): bump clap from 4.5.49 to 4.5.50 by @dependabot[bot] in #60
• chore(deps): bump dns-lookup from 3.0.0 to 3.0.1 by @dependabot[bot] in #61
• chore(deps): bump clap_mangen from 0.2.30 to 0.2.31 by @dependabot[bot] in #62
• fix: improve bandwidth rate tracking accuracy and stability by @domcyrus in #63
• Sort bandwidth by combined up+down total by @domcyrus in #64

New Contributors

• @dependabot[bot] made their first contribution in #57

Full Changelog: v0.14.0...v0.15.0

Added

• eBPF Enabled by Default on Linux: eBPF support is now enabled by default on Linux builds for enhanced performance
  • Provides faster socket tracking with reduced overhead
  • Includes CO-RE (Compile Once - Run Everywhere) support
  • Graceful fallback to procfs when eBPF is unavailable
• JSON Logging for SIEM Integration: New JSON-structured logging output for security information and event management systems
  • Enables integration with enterprise monitoring and security platforms
  • Structured log format for easier parsing and analysis
• TUN/TAP Interface Support: Added support for TUN/TAP virtual network interfaces
  • Enables monitoring of VPN connections and virtual network devices
  • Expands interface compatibility for complex network setups
• Fedora COPR RPM Packaging: Official Fedora COPR repository for easy installation on Fedora/RHEL-based distributions

Fixed

• High CPU Usage on Linux: Eliminated excessive procfs scanning causing high CPU utilization
  • Optimized process lookup frequency and caching strategy
  • Significantly reduced system resource consumption during monitoring

Changed

• Build Dependencies: Bundled vmlinux.h files to eliminate network dependency during builds
  • Improves build reliability and offline build capability
  • Reduces external dependencies for compilation
• Documentation: Restructured documentation into focused files with improved musl static build documentation

Full Changelog: v0.13.0...v0.14.0

Added

• Windows Process Identification: Implemented full process lookup using Windows IP Helper API
  • Uses GetExtendedTcpTable and GetExtendedUdpTable for connection-to-process mapping
  • Resolves process names via OpenProcess and QueryFullProcessImageNameW
  • Supports both TCP/UDP and IPv4/IPv6 connections
  • Implements time-based caching with 2-second TTL for performance
  • Migrated from winapi to windows crate (v0.59) for better maintainability
• Privilege Detection: Pre-flight privilege checking before network interface access
  • Detects insufficient privileges on Linux, macOS, and Windows
  • Provides platform-specific instructions (sudo, setcap, Docker flags)
  • Shows errors before TUI initialization for better visibility
  • Detects container environments with Docker-specific guidance

Fixed

• Packet Length Calculation: Use actual packet length from IP headers instead of captured length
  • Extracts Total Length field from IP headers for accurate byte counting
  • Fixes severe undercounting for large packets (NFS, jumbo frames)
  • Resolves issues with snaplen-limited capture buffers

Changed

• Documentation: Updated ROADMAP.md and README.md with Windows process identification status and Arch Linux installation instructions

What's Changed

• fix: use actual packet length from IP headers instead of captured length by @domcyrus in #35
• Feat/privilege detection by @domcyrus in #31
• feat: implement Windows process identification via IP Helper API by @domcyrus in #37

Full Changelog: v0.12.1...v0.13.0