nsave Network Packet Capture Tool

Expert guidance for working with nsave, a high-performance network packet capture and storage tool written in Rust that efficiently captures network traffic and saves it to disk with advanced querying capabilities.

What This Skill Does

This skill provides comprehensive guidance for developing, building, testing, and maintaining the nsave packet capture tool. It covers the multi-crate architecture (main application, eBPF programs, common utilities), packet capture mechanisms (AF_XDP with eBPF, PCAP fallback), storage system (chunk-based, time-indexed), flow management, and CLI tooling.

Instructions

When working with the nsave codebase, follow these guidelines:

1. Understanding the Architecture

Before making changes, understand the system architecture:

**Multi-crate structure**: `nsave/` (main app), `ebpf/` (eBPF programs), `common/` (shared utilities)

**Packet capture layer**: AF_XDP with eBPF for high performance, PCAP as fallback

**Multi-threaded processing**: Main thread (capture), writer threads (storage), clean thread (cleanup)

**Storage system**: Chunk-based (80KB default), time-based hierarchical indexing, 5-tuple connection indexing

**Flow management**: Connection tracking with TCP state and sequence numbers

**Key data structures to be familiar with**:

`PacketKey`: 5-tuple connection identifier (src_ip, src_port, dst_ip, dst_port, protocol)

`FlowNode`: Connection state and metadata

`ChunkPool`: Memory management for packets

`TimeIndex`: Temporal query indexing

`ChunkIndex`: Connection-based query indexing

2. Build and Development Commands

**Standard development build**:

```bash

cargo build

```

**Build with debug features**:

```bash

cargo build --features debug_mode

```

**Run tests**:

```bash

All tests

cargo test

Specific module

cargo test --package nsave mmapbuf

With output

cargo test -- --nocapture

eBPF tests

cargo test --package ebpf

```

**Code quality checks**:

```bash

Format check

cargo fmt --check

Linting

cargo clippy --tests

```

3. Running the Application

**Start packet capture daemon** (requires root):

```bash

cargo run --bin nsave --config 'target."cfg(all())".runner="sudo -E"'

```

**CLI query examples**:

5-tuple search:

```bash

nsave-cli search -s 2024-03-28-12:00:00 -e 2024-03-28-22:00:00 --sip 192.168.1.1 -D 192.168.1.2 -P tcp

```

BPF filter search:

```bash

nsave-cli bpf_search -s 2024-07-28-21:10:00 -e 2024-07-28-21:15:00 --bpf "tcp or udp"

```

Export to pcap:

```bash

nsave-cli search -s 2024-05-18-15:36:36 -e 2024-05-18-15:36:47 --sip 10.11.20.255 -D 10.11.20.14 -P udp -f ~/dump.pcap

```

4. Configuration Management

The tool requires a TOML configuration file (`.nsave_conf.toml` in home directory). Key sections:

**Capture**: Interface selection, packet length limits, BPF filtering

**Storage**: Store path, file/chunk sizes, writer thread count

**Performance**: Channel buffer sizes, timer intervals, memory pool settings

**Flow tracking**: Connection timeouts, table capacity, TCP sequence gap handling

Configuration is handled in `configure.rs` with validation.

5. Making Code Changes

**CRITICAL**: Before implementing any changes:

1. **List all modification points**: Create a detailed list of every file and function that needs to be modified

2. **Wait for approval**: Present the modification plan and wait for user confirmation

3. **Implement incrementally**: After approval, ask for confirmation before modifying each item

4. **Test thoroughly**: Run relevant tests after each change

**Example workflow**:

```

User: "Add support for filtering by port range"

You: "I need to modify the following components:

1. nsave/src/cli/main.rs - Add port range arguments

2. nsave/src/flow.rs - Update PacketKey matching logic

3. nsave/src/store.rs - Modify query function

4. nsave/src/bin/cli/main.rs - Update CLI parsing

Should I proceed with these changes?"

[Wait for approval]

You: "Starting with 1/4: Modifying nsave/src/cli/main.rs to add --sport-range and --dport-range arguments. Proceed?"

[Continue incrementally after each approval]

```

6. Key Module Locations

**Entry points**:

`nsave/src/main.rs` - Main daemon

`nsave/src/bin/cli/main.rs` - CLI query tool

`ebpf/src/main.rs` - eBPF program

**Core modules**:

`capture.rs` - Packet capture abstraction (AF_XDP/PCAP)

`flow.rs` - Connection tracking

`store.rs` - Storage layer with indexing

`mmapbuf.rs` - Memory-mapped buffers

`timeindex.rs` - Time-based indexing

`chunkindex.rs` - Connection-based indexing

`configure.rs` - Configuration parsing

7. eBPF Integration

The eBPF integration requires special attention:

Custom build script (`build.rs`) compiles eBPF programs during build

Uses unstable Rust features for cross-compilation

eBPF binaries are embedded in the executable

Compilation uses `cargo -Z build-std` for eBPF target

XDP program redirects packets to AF_XDP sockets via `XskMap`

8. Platform Compatibility

**Requirements**:

AF_XDP: Linux kernel 4.18+ only

PCAP fallback: Works on Linux and macOS

Root privileges: Typically required for packet capture

Promiscuous mode: Automatically managed (enabled on start, disabled on exit)

9. Error Handling Patterns

Follow the existing error handling conventions:

Use `StoreError` for storage operations

Use `anyhow` for error propagation in main application

Implement graceful Ctrl-C handling with proper cleanup

Provide informative error messages without exposing internal details

10. Testing Strategy

When adding new features:

1. Write unit tests for individual functions

2. Add integration tests for component interactions

3. Test both AF_XDP and PCAP code paths when applicable

4. Verify cleanup and error handling paths

5. Test with various configuration options

Important Notes

**Prototype status**: This project is in prototype stage; not for critical production use

**Root privileges**: Most operations require root/sudo for packet capture

**Memory management**: Uses custom memory pools and mmap for efficiency

**Thread safety**: Be aware of multi-threaded access patterns when modifying shared state

**Incremental changes**: Always list modifications first, get approval, then implement one at a time

Example Usage Scenarios

**Scenario 1**: Adding a new CLI search filter

1. List modifications: CLI argument parsing, query logic, index lookup

2. Get approval for plan

3. Implement argument parsing in `cli/main.rs`

4. Update query function in `store.rs`

5. Add tests for new filter

6. Test with real packet capture

**Scenario 2**: Optimizing storage performance

1. Profile current performance to identify bottleneck

2. List affected modules (likely `store.rs`, `mmapbuf.rs`, `chunkindex.rs`)

3. Get approval for optimization approach

4. Implement changes incrementally

5. Benchmark before/after performance

6. Verify correctness with existing tests

**Scenario 3**: Adding new eBPF filtering capability

1. List changes: eBPF program (`ebpf/src/main.rs`), capture layer (`capture.rs`)

2. Get approval

3. Modify eBPF program with new filter logic

4. Update Rust integration code

5. Test build process (eBPF compilation)

6. Verify packet filtering behavior

nsave Network Packet Capture Tool

nsave Network Packet Capture Tool

What This Skill Does

Instructions

1. Understanding the Architecture

2. Build and Development Commands

All tests

Specific module

With output

eBPF tests

Format check

Linting

3. Running the Application

4. Configuration Management

5. Making Code Changes

6. Key Module Locations

7. eBPF Integration

8. Platform Compatibility

9. Error Handling Patterns

10. Testing Strategy

Important Notes

Example Usage Scenarios

Reviews (0)