Full L2–L7 DPI
Ethernet, ARP, IPv4, IPv6, TCP, UDP, ICMP, TLS, HTTP, DNS, QUIC, HTTP/2, gRPC, WebSocket, SSH, SIP, NTP, BGP — decoded in one pass with no external parsers.
pktana decodes every frame — Ethernet to TLS to gRPC — in a single pass. Live DPI, JA3 fingerprinting, GeoIP, risk scoring, and a Wireshark-style TUI. One static Rust binary. Zero external dependencies.
pktana bridges the gap between low-level packet debugging and day-to-day operational visibility — one focused workspace instead of a fragmented collection of tools.
The project is built in Rust because packet tooling needs both performance and safety. Packet analyzers operate on untrusted inputs, and memory-safe parsing matters when the tool is expected to grow into a serious production-grade platform.
Today pktana provides a strong foundation: raw frame decoding, L2–L7 protocol parsing, TCP/TLS/DNS/DHCP flow analysis,
JA3 fingerprinting, GeoIP, risk scoring, a full-screen TUI, a web UI, batch pcap modes, and optional live capture
through feature-gated pcap support.
The long-term vision: a Linux-native packet analysis platform with deeper L2–L7 coverage, native eBPF capture paths, stream reassembly, indexed flow storage, and a REST API for observability pipeline integration.
Native packages for RHEL/Rocky/Alma 7 & 9, Ubuntu 22.04/24.04, and Debian 12. Published on GitHub Releases and crates.io.
pktana v0.5.0 is a fully capable packet analysis platform. Core and CLI split across two Rust crates, with deep protocol coverage and a single static binary.
Ethernet, ARP, IPv4, IPv6, TCP, UDP, ICMP, TLS, HTTP, DNS, QUIC, HTTP/2, gRPC, WebSocket, SSH, SIP, NTP, BGP — decoded in one pass with no external parsers.
Full ClientHello decode: cipher suites, extensions, elliptic curves, ALPN. JA3 hash generated for every TLS handshake. GREASE values filtered per RFC 8701.
VXLAN, GRE, and Geneve inner frames are fully re-decoded including inner IPs, ports, and application protocol — not just outer headers.
0–100 composite risk score per packet. Detects deprecated TLS, NTP amplification, high-entropy DNS (DGA), SYN scans, NULL scans, and 12+ anomaly types.
Record live traffic, parse any .pcap file with full DPI, or browse it interactively in the TUI. No root required for offline analysis.
Full-screen terminal dashboard with live packet table, protocol breakdown, top-talker GeoIP, flow analysis, hex dump, and offline pcap browsing.
Pure-Rust HTTP server with SSE live streaming, multi-session capture, connection table, routing, NIC stats, GeoIP lookup, and a built-in terminal.
Probes NIC dataplane: XDP programs, AF_XDP zero-copy sockets, DPDK userspace bindings, SR-IOV PF/VF roles, hardware offload status.
Country and continent lookup for every remote IP. Embedded binary database — no network call, no API key, no external file required.
pktana ingests traffic from the wire or a pcap file, decodes every frame through a full L2–L7 pipeline, enriches with DPI, risk scoring, GeoIP, and tunnel re-inspection.
Complete reference for every CLI command, web API endpoint, DPI engine field, flow analyzer, protocol coverage, and the Rust library API.
Architecture, design goals, project structure, and how pktana fits into your workflow.
Read →Every command and flag with examples: capture, inspect, hex, tui, web, geoip, and more.
Read →All REST and SSE endpoints, full request/response schemas, and curl examples.
Read →Full DeepPacket struct, dissection pipeline, risk scoring, and anomaly detection.
Read →Embed pktana-core in your own Rust project — capture, inspect, GeoIP, flows, connections.
Read →Dev setup, code conventions, adding protocols, commands, and API endpoints to pktana.
Read →v0.5.0 delivers full L2–L7 DPI, JA3, tunnel re-inspection, risk scoring, TUI, and pcap support. Here's what comes next.
TCP session tracking, stream reassembly, and per-stream application-layer decode for HTTP, TLS, and connection-oriented protocols.
Native Linux capture path using eBPF and XDP — no libpcap dependency, lower overhead, driver-level attachment before sk_buff allocation.
Persistent flow storage with time-range queries so operators can inspect traffic from any point in time without replaying pcap files.
REST API and exporters for integration with SIEM pipelines, Prometheus metrics, and existing infrastructure observability stacks.
Share your experience. Reviews are stored locally and published immediately.
pktana speaks directly to engineers who want clean Linux packet visibility without the usual fragmented workflow across too many tools.
The product story is strong because it combines packet analysis, flow summaries, Linux-first deployment, and a serious roadmap for deeper protocol support.
The architecture feels intentional. A reusable core parser plus a clean CLI makes pktana look like a strong foundation for a bigger observability platform.
Share your experience with pktana for the community.
If pktana is useful to you, you can support its development by sponsoring, sharing, or contributing directly.
Visit the GitHub project and support the work by starring, sharing, or contributing to the codebase directly.
Go to GitHubWant to sponsor development, discuss enterprise use, or support the project financially? Get in touch directly.
Contact for sponsorshipShare pktana with Linux, networking, SRE, and systems communities to help it reach the engineers who need it.
Share & connectQuestions, collaboration, consulting, or feedback on pktana — reach out directly.