Release v1.4.0

This release redesigns the TUI around a calmer visual hierarchy and, under the hood, splits RustNet into a Cargo workspace of reusable library crates. Many of the TUI ideas came from a detailed UI review by @joshka (Ratatui maintainer) on our showcase submission (ratatui/ratatui-website#1118).
Thanks for the thoughtful feedback!

Added

• Theme Presets: New --theme flag. The default muted preset keeps a single
  cyan accent and reserves color for signals (state changes, staleness, live
  bandwidth) and addresses; --theme classic restores the previous full-color palette (#377)
• System Sidebar Toggle: The System panel now has a fixed width and can be
  hidden with the i key (auto-hidden on narrow terminals) (#377)
• Details Continuity Strip: The Details tab opens with a mini connection table
  of the selected row and its neighbors; j/k flips through them without leaving
  the tab, following the grouped order when process grouping is enabled (#377)
• Direct-Jump Tab Shortcuts: Jump straight to a tab with keys 1-5, with
  bracket cycle aliases (#318, thanks @obchain)
• Connection List Scrollbar: A scrollbar appears on the connection list when it
  overflows the viewport (#365)
• FTP Deep Packet Inspection: Detect the FTP control channel and extract command
  and response metadata (#266, thanks @0xghost42)
• DNS / mDNS / LLMNR Response IPs: Populate response_ips from A/AAAA answer
  records and extend the extraction to mDNS and LLMNR responses (#319, #333, #341, thanks @0xghost42)
• Log Identity Banner: Emit a program identity banner and the module target on
  every log line for easier diagnostics (#320, thanks @0xghost42)
• Landlock v6 IPC Scoping (Linux): Best-effort Landlock that scopes abstract-socket
  and signal IPC on kernels that support it, falling back gracefully on older ABIs (#363)
• no_new_privs Always Set + cargo-deny: Always set no_new_privs at startup, and
  adopt cargo-deny for supply-chain and license auditing in CI (#382)
• openSUSE OBS Release Pipeline: Automated openSUSE Build Service releases (#356)

Changed

• Stable Column Layout: Column widths depend only on the terminal width — they
  no longer shift while scrolling. Narrow terminals hide low-priority columns
  instead of truncating cells; wide terminals distribute the spare width so the
  table spans the full screen with the bandwidth column flush right (#377)
• Merged Proto/App Column: The Protocol column is merged into Application
  ("TCP·HTTPS"), and the status-dot column is gone — staleness now lives entirely
  in the row styling (#377)
• Custom Tab Bar and Borderless Sections: Numbered tab bar with an accent
  underline, a single-line filter prompt, and section headers in place of the
  border-box-around-everything look (#377)
• Dependencies: Routine dependency and GitHub Actions updates across the cycle
  (Dependabot, ~18 PRs)

Fixed

• Process attribution for short-lived and multithreaded processes (Linux):
  eBPF socket tracking now records the process name (thread-group leader)
  instead of the calling thread's name, so connections from e.g. firefox or dig
  no longer show up as "Socket Thread" or "isc-net-0000"; PID-to-name
  resolution reads /proc/<pid>/comm on demand instead of waiting for the
  periodic scan; and new connections are enriched on a fast 250ms tick, so
  process names appear almost immediately instead of after up to 2 seconds (#376)
• DLT_NULL Link Layer: Strip the 4-byte address-family header before parsing
  DLT_NULL/loopback captures (#394, thanks @0xghost42)
• Terminal Restore on Panic: Restore the terminal via a chained panic hook so a
  panic no longer leaves the terminal in raw mode (#364)
• Scrollbar Thumb: The scrollbar thumb now reaches the bottom at max scroll (#366)
• Landlock /sys Access: Allow read access to /sys so interface statistics work
  under the Landlock sandbox (#370)
• Filter Mode Backspace: Handle raw backspace characters in filter mode (#335, thanks @iccccccccccccc)
• eBPF Error Surfacing: Classify libbpf errors and surface them in the TUI (#255, #258)
• Native Builds: Skip cross-compile library paths on native builds (#259)
• RPM Packaging: Own the directories and hicolor icon dirs the package creates, and
  require libcap-progs on openSUSE so the %post setcap runs (#357, #358, #359, #360)

Performance

• Per-Packet Allocations: Cut per-packet allocations and snapshot copy-on-write
  copies on the hot path (#380)
• Core Types: Add Protocol::as_str() and drop per-row/per-filter to_string
  allocations (#392, thanks @obchain)
• Connection Table: Borrow the process name in process_text instead of cloning (#390, thanks @obchain)
• Sparklines / Parsers: Single-allocation sparkline getters, fewer redundant
  collects in the HTTP and SSH parsers, and removed redundant clones in the render path
  and sandbox init (#339, #345, #355, thanks @obchain)

Internal

• Cargo Workspace Split: RustNet is now a four-crate workspace — rustnet-core
  (packet parsing, protocol/DPI types, link-layer, connection merging, DNS/GeoIP/OUI
  lookups), rustnet-capture (libpcap/Npcap capture backend), rustnet-host
  (per-connection process attribution), and the rustnet-monitor binary. The three
  libraries are now published to crates.io alongside the binary (#367)

Documentation

• Simplified Chinese: Added a Simplified Chinese README translation and translated
  the rest of the docs, plus zh-CN openSUSE Tumbleweed install instructions
  (#263 thanks @whtis, #277 thanks @luojiyin1987, #361)
• Install / Packaging Docs: Nix and NixOS instructions and nixpkgs/NixOS-module
  notes, Homebrew core formula pointer, Repology packaging overview, a Mermaid
  architecture diagram, and a PR template with tightened contributor guidelines
  (#264, #270, #281, #285, #286, #311, #332, #369)
• Ubuntu 26.04 (Resolute) PPA: Added the Resolute PPA build (#254, #256)

Contributors

Special thanks to the contributors in this release:

• @0xghost42 — FTP DPI, DNS/mDNS/LLMNR response-IP
  extraction, the log identity banner, the DLT_NULL fix, and many DPI/eBPF refactors
  (#266, #278, #279, #289, #290, #307, #309, #319, #320, #333, #341, #394)
• @obchain — performance and allocation cleanups across
  the DPI parsers, render path, and core types, plus direct-jump tab shortcuts
  (#292, #294, #296, #301, #303, #317, #318, #327, #339, #345, #355, #390, #392)
• @iccccccccccccc — raw backspace handling in filter mode (#335)
• @whtis (HaiTao Wu) — Simplified Chinese README translation (#263)
• @luojiyin1987 (luo jiyin) — Simplified Chinese documentation translation (#277)

Release v1.3.0

The headline of this release is a major TUI refresh. The tabs, stats panel, and details view have all been redesigned, with new per-field colors, a status dot, and address scope labels making it easier to read connections at a glance.

Added

• TUI Revamp: Redesigned tabs, stats panel, and details view (#239)
• Per-field Colors and Status Dot: New per-field colors, status dot, and magenta panel borders for at-a-glance readability (#241)
• Address Scope Labels: Remote addresses are tagged PUBLIC, PRIVATE, etc. in the connection list (#251)
• Reverse DNS Resolution by Default: Reverse DNS resolution is now enabled by default. Use the new --no-resolve-dns flag to opt out (#245)

Fixed

• Sandbox Info on Overview: Show the full sandbox details on the overview tab (#250)
• Search Scope and Status Bars: Scope the / search to Overview and tidy the status bars (#229, #230)
• QUIC Initial Packet Parser: Bounds-check token_len in the Initial packet parser (#244)
• QUIC Varint Parser: Bounds-check varint lengths and isolate parser panics (#232)
• Release Pipeline: Fix the downstream trigger race and AUR token permissions (#223)

Changed

• Demo Recording Automation: Automate VHS recording for the demo GIF and README screenshots (#247)
• OUI Vendor Database: Refreshed IEEE OUI vendor database (#242)
• Dependencies: Bumped rand (0.8.5 to 0.8.6), openssl (0.10.75 to 0.10.78), zip, libbpf-cargo, and other rust-dependencies and actions group updates (#224, #225, #226, #227, #231, #233, #234, #238, #240, #243)

Documentation

• Windows Sandbox Terminology: Accurate Windows sandbox terminology and roadmap entry (#237)
• README Polish: README hero polish, metadata tune-up, and accuracy fixes (#236)
• Crate and Module Docs: Expanded crate and module docs and tuned metadata for discoverability (#235)

Release v1.2.0

Added

• Windows Restricted Token Sandbox: Drop privileges at startup on Windows using a restricted process token (#206)
• macOS Seatbelt Sandboxing: Apply a Seatbelt sandbox profile at startup on macOS, later tightened to restrict filesystem and IPC access (#196, #203)
• Linux Sandbox Hardening: Drop Linux capabilities and clear the ambient capability set after startup (#208)
• Process Privilege in UI: Show whether a process is privileged in the security section of the TUI (#197)
• Filter: Exact Port Matching and Regex Support: Filter syntax supports exact port matches and regex patterns (#195)
• VLAN Support in PKTAP and SLL/SLL2: Parse VLAN tags in PKTAP and SLL/SLL2 capture formats (#202)
• VLAN Header in Layer 3 Extraction: Account for VLAN headers when extracting layer 3 data (#199, thanks @deepakpjose)
• IGMP Protocol Parsing: Recognize and parse IGMP traffic (#209, thanks @deepakpjose)
• Process Name for Wildcard /proc/net/ Entries: Resolve process names for wildcard (0.0.0.0/::) entries in /proc/net/ (#218, thanks @deepakpjose)
• CI Supply-Chain Hardening: Pin GitHub Actions to commit SHAs and verify Npcap installer checksums (#210)
• Architecture Roadmap: Added workspace split and macOS privilege separation roadmap docs (#211)

Fixed

• Default Interface Selection: Use the active routing table to pick the default interface (#194, thanks @l1a)
• Root Detection on Unix: Use geteuid() instead of getuid() to detect root (#192, thanks @DeepChirp)
• Release Pipeline Reliability: Improved release workflow reliability, gated downstream jobs on publish-release, added checksum verification to AUR updates, and documented the no-retag policy (2a38f2d, 795f7a1, 002eb55, 8403a0f)
• FreeBSD CI Dispatch: Restrict FreeBSD dispatch to manual triggers only (#201)

Changed

• CPU Efficiency Improvements: Substantial reductions in CPU usage across hot paths — rate calculation moved from per-update to per-refresh (#220), timeouts avoided to improve CPU performance (#213), threads given meaningful names to aid profiling (#212), and allocations reduced in sorting and snapshot paths (#222). Big thanks to @deepakpjose for driving the CPU-efficiency work (#213, #220, #212) — these changes make RustNet noticeably lighter on the CPU.
• FreeBSD Platform Cleanup: Refactored FreeBSD platform support code (#205)
• Dependencies: Bumped zip (8.2.0 → 8.3.0 → 8.5.0), clap_mangen, docker/login-action, and other rust-dependencies group updates (#198, #200, #214, #216, #219, #221)
• OUI Vendor Database: Refreshed IEEE OUI vendor database (#215)

Contributors

Special thanks to the external contributors in this release:

• @deepakpjose — CPU-efficiency improvements and additional features (#199, #209, #212, #213, #218, #220)
• @l1a — default interface selection via active routing table (#194)
• @DeepChirp — Unix root detection via geteuid() (#192)

Release v1.1.0

Added

• OUI Vendor Lookup for ARP: Display MAC vendor names for ARP connections using IEEE OUI database (#183)
• Historic Connections Toggle: Toggle to show/hide historic (closed) connections (#184)
• Mouse Support: Mouse interaction support for TUI navigation (#170)
• Security Hardening & Packet Stats: Enhanced security hardening and packet statistics display in TUI (#169)
• GeoIP City Lookup: Show city-level geolocation for remote IPs using GeoLite2 City database (#168)
• Android Build Support: Native Android builds with static musl linking (#167)
• Multi-Arch Android Builds: Added armv7, x86_64, and x86 Android static build targets
• MQTT Protocol Detection: Deep packet inspection for MQTT protocol traffic (#161)
• STUN Traffic Detection: Detect STUN protocol traffic per RFC 5389/8489 (#160)
• BitTorrent Traffic Detection: Detect BitTorrent protocol traffic (#159)
• ARP Performance Benchmarks: Added criterion benchmarks for ARP-related operations (#188)

Fixed

• Undefined Behavior Fix: Fix UB issues, remove clippy suppressions, add safety documentation (#187)
• Light Terminal Readability: Fix selection highlight unreadable on light terminal themes (#182)
• Clipboard Warning: Fix unused variable warning in copy_to_clipboard across platforms (#178)
• Android Cross-Compilation: Fix cross-compilation and release upload issues for Android targets (#174)
• MQTT Detection Accuracy: Restrict MQTT signature detection to CONNECT packets only (#164)

Changed

• Documentation: Synced docs with implementation, added missing keyboard shortcuts (#190, #157)
• CI/CD: Staged release pipeline so downstream jobs wait for builds (#154), added FreeBSD coverage to PR builds (#158)
• Dependencies: Bumped chrono, http_req, zip, and various rust-dependencies groups

Release v1.0.0

Added

• GeoIP Location Support: Show country codes for remote IPs using GeoLite2 databases with auto-discovery (#151)
• PCAP Export with Process Attribution: Export captured packets to PCAP files with a process attribution JSONL sidecar for Wireshark enrichment (#137)
• eBPF-based ICMP PID Tracking: Track process IDs for ICMP connections using eBPF on Linux (#136)
• Process Detection Degradation Warnings: Show warnings in the UI when process detection falls back to a less accurate method (#128)
• ARM64 Musl Static Builds: CI now produces arm64 musl static Linux builds with eBPF support

Fixed

• Service Name Precedence: Corrected ordering when multiple service name sources conflict (#150)
• Pointer Dereference Safety: Use as_ref() for safer pointer dereference in macOS/FreeBSD interface stats (#147)
• Clippy Warnings: Resolve unnecessary_unwrap errors flagged by clippy (#144)
• ICMP Dead Code: Remove dead code warning in ICMP handling (#138)
• GitHub Actions Permissions: Add explicit permissions to all GitHub Actions workflows (#131)
• Logging Initialization: Set up logging level before privileges check for earlier diagnostic output (#143)

Changed

• SSH Heuristic Tightened: Tighten SSH packet structure heuristic to reduce false positives (#135)
• CI Reusable Workflows: Share build logic via reusable workflow, remove redundant test-static-builds workflow
• Chocolatey Automation: Trigger Chocolatey package publish on release automatically
• Code Alignment: Refactoring and code alignment improvements (#149)
• Dependencies: Updated libbpf-rs to 0.26, bumped clap, time, zip, lru, and libc
• Documentation: Clarified RustNet vs Wireshark positioning, added PowerShell font troubleshooting, added JSON logging to feature comparison, added bandwhich to acknowledgments (#129, #130, #132, #133)

Release v0.18.0

Added

• Process Grouping: Expandable tree view to group connections by process (a to toggle grouping, Space to expand/collapse)
• Traffic Visualization Graph Tab: New Graph tab with real-time network traffic graphs and bandwidth visualization (press Tab to cycle through tabs)
• Network Health Visualization: Health indicators in Graph tab showing connection quality metrics
• Reverse DNS Hostnames: Display reverse DNS names in Details tab and filter PTR traffic (--resolve-dns to enable, d to toggle display)
• BPF Filter Support: New --bpf-filter option for custom packet capture filtering (e.g., --bpf-filter "port 443")
• Clear All Connections: New hotkey (x) to clear all tracked connections
• Enhanced JSON Logging: Added pid, process_name, service_name fields to JSON log output
• New DPI Protocols: NTP, mDNS, LLMNR, DHCP, SNMP, SSDP, NetBIOS protocol detection with enhanced ARP display
• Static Musl Builds: Linux static binary builds using musl for better portability
• Platform-Specific Help: CLI help now shows platform-specific options

Fixed

• macOS BPF Filter: Skip PKTAP when BPF filter is specified to avoid conflicts
• Linux Clipboard: Handle clipboard access blocked by Landlock sandbox gracefully
• Interface Stats: Use safer pointer dereference in interface statistics

Changed

• FreeBSD Builds: Moved to separate rustnet-bsd repository for native builds
• CI Improvements: Homebrew formula auto-update on release, AUR workflow on publish
• Dependencies: Updated ratatui to 0.30.0, various dependency updates
• Documentation: Added contribution guidelines, Chocolatey and Arch Linux installation instructions

Release v0.17.0

Added

• Landlock Sandbox for Linux: Filesystem and network sandboxing for enhanced security
  • Restricts filesystem access to /proc only after initialization
  • Network sandbox blocks TCP bind/connect on kernel 6.4+
  • Drops CAP_NET_RAW capability after pcap handle is opened
  • New CLI options: --no-sandbox and --sandbox-strict
  • Comprehensive security documentation in SECURITY.md
• eBPF Thread Name Resolution: Resolve eBPF thread names (e.g., 'Socket Thread') to main process names (e.g., 'firefox')
  • Uses periodic procfs PID cache for resolution
  • Falls back to eBPF name for short-lived processes
• AUR Package Automation: Automated Arch Linux AUR package publishing workflow

Changed

• Platform Code Reorganization: Restructured platform-specific code into cleaner module hierarchy
  • src/network/platform/linux/ - Linux-specific code with eBPF and sandbox subdirectories
  • src/network/platform/macos/ - macOS-specific code
  • src/network/platform/freebsd/ - FreeBSD-specific code
  • src/network/platform/windows/ - Windows-specific code
• QUIC DPI Simplification: Unified SNI extraction helpers and simplified QUIC protocol handling

Fixed

• Test Determinism: Made RateTracker tests deterministic with injectable timestamps

What's Changed

• feat: reorganize platform code into per-platform directories by @domcyrus in #81
• chore(deps): bump vmactions/freebsd-vm from 1.2.7 to 1.2.8 in the actions group by @dependabot[bot] in #82
• chore(deps): bump pcap from 2.3.0 to 2.4.0 in the rust-dependencies group by @dependabot[bot] in #83
• refactor: simplify QUIC DPI and reorganize platform code by @domcyrus in #84
• fix: make RateTracker tests deterministic with injectable timestamps by @domcyrus in #85
• feat: add Landlock sandbox and capability dropping for Linux by @domcyrus in #86
• fix(linux): resolve eBPF thread names to main process names by @domcyrus in #87

Full Changelog: v0.16.1...v0.17.0

Release v0.16.1

Added

• Network Interface Statistics: Real-time monitoring of network interface statistics across all platforms
  • Cross-platform support for Linux, macOS, Windows, and FreeBSD
  • Display of interface-level metrics including packets sent/received, bytes transferred, and errors
  • Platform-specific implementations optimized for each operating system
  • New interface statistics module with dedicated platform handlers
  • TCP network analytics 🎉 :)

Fixed

• Cross-Compilation: Fixed eBPF build issues when cross-compiling to non-Linux platforms
  • Made libbpf-cargo an optional build dependency
  • Fixed build.rs to check TARGET environment variable instead of host platform
  • Prevents Linux-specific dependencies from being built for FreeBSD, macOS, and Windows
• FreeBSD Build: Switched from cross-compilation to native FreeBSD VM builds
  • Uses vmactions/freebsd-vm for native FreeBSD compilation
  • Eliminates cross-compilation sysroot and library linking issues
  • Ensures FreeBSD builds work reliably with native package manager

Full Changelog: v0.16.0...v0.16.1

Release v0.15.0

Added

• Ubuntu PPA Packaging: Official Ubuntu PPA repository for easy installation on Ubuntu/Debian-based distributions
  • Automated GitHub Actions workflow for PPA releases
  • Support for multiple Ubuntu versions

Changed

• Bandwidth Sorting: Changed bandwidth sorting to use combined up+down total instead of separate up/down sorting
  • Simpler sorting behavior: press s once to sort by total bandwidth
  • Display still shows "Down/Up" with individual values
  • Arrow indicator shows when sorting by combined bandwidth total
• Packet Capture Permissions: Removed CAP_NET_ADMIN and CAP_SYS_ADMIN requirements
  • Uses read-only packet capture (non-promiscuous mode)
  • Reduced security footprint with minimal required capabilities

Fixed

• Bandwidth Rate Tracking: Improved accuracy and stability of bandwidth rate calculations
  • More consistent rate measurements
  • Better handling of network traffic bursts

What's Changed

• Add Ubuntu PPA packaging support by @domcyrus in #47
• docs: add Ubuntu PPA and Fedora COPR installation instructions by @domcyrus in #48
• chore(deps): bump libc from 0.2.176 to 0.2.177 by @dependabot[bot] in #57
• chore(deps): bump clap_mangen from 0.2.29 to 0.2.30 by @dependabot[bot] in #56
• chore(deps): bump clap from 4.5.48 to 4.5.49 by @dependabot[bot] in #55
• chore(deps): bump clap_complete from 4.5.58 to 4.5.59 by @dependabot[bot] in #54
• chore(deps): bump zip from 5.1.1 to 6.0.0 by @dependabot[bot] in #53
• chore(deps): bump actions/attest-build-provenance from 1 to 3 by @dependabot[bot] in #52
• chore(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #51
• chore(deps): bump docker/build-push-action from 5 to 6 by @dependabot[bot] in #50
• chore(deps): bump actions/download-artifact from 4 to 5 by @dependabot[bot] in #49
• chore(deps): bump windows from 0.61.3 to 0.62.2 by @dependabot[bot] in #58
• feat: remove CAP_NET_ADMIN and CAP_SYS_ADMIN, use read-only packet capture by @domcyrus in #59
• chore(deps): bump clap from 4.5.49 to 4.5.50 by @dependabot[bot] in #60
• chore(deps): bump dns-lookup from 3.0.0 to 3.0.1 by @dependabot[bot] in #61
• chore(deps): bump clap_mangen from 0.2.30 to 0.2.31 by @dependabot[bot] in #62
• fix: improve bandwidth rate tracking accuracy and stability by @domcyrus in #63
• Sort bandwidth by combined up+down total by @domcyrus in #64

New Contributors

• @dependabot[bot] made their first contribution in #57

Full Changelog: v0.14.0...v0.15.0

Release v0.14.0

Added

• eBPF Enabled by Default on Linux: eBPF support is now enabled by default on Linux builds for enhanced performance
  • Provides faster socket tracking with reduced overhead
  • Includes CO-RE (Compile Once - Run Everywhere) support
  • Graceful fallback to procfs when eBPF is unavailable
• JSON Logging for SIEM Integration: New JSON-structured logging output for security information and event management systems
  • Enables integration with enterprise monitoring and security platforms
  • Structured log format for easier parsing and analysis
• TUN/TAP Interface Support: Added support for TUN/TAP virtual network interfaces
  • Enables monitoring of VPN connections and virtual network devices
  • Expands interface compatibility for complex network setups
• Fedora COPR RPM Packaging: Official Fedora COPR repository for easy installation on Fedora/RHEL-based distributions

Fixed

• High CPU Usage on Linux: Eliminated excessive procfs scanning causing high CPU utilization
  • Optimized process lookup frequency and caching strategy
  • Significantly reduced system resource consumption during monitoring

Changed

• Build Dependencies: Bundled vmlinux.h files to eliminate network dependency during builds
  • Improves build reliability and offline build capability
  • Reduces external dependencies for compilation
• Documentation: Restructured documentation into focused files with improved musl static build documentation

Full Changelog: v0.13.0...v0.14.0