Skip to content

ammaromari/orion-telescope-capture

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
src
src
 
 
Cargo.toml
Cargo.toml
 
 
INSTALL.md
INSTALL.md
 
 
README.md
README.md
 
 
build.rs
build.rs
 
 
orion-capture@.service
orion-capture@.service
 
 
v4-darknet.conf
v4-darknet.conf
 
 
v4-dev.conf
v4-dev.conf
 
 

Repository files navigation

orion-capture (Rust)

PF_RING ZC packet capture for the ORION Network Telescope. Drop-in replacement for legacy pcapture.

What it does

  • Captures packets via PF_RING (ZC kernel bypass or standard mode)
  • Applies ORION darknet filter in userspace
  • Writes hourly gzip-compressed PCAPs: YYYY/MM/DD/YYYY-MM-DD.HH.pcap.gz
  • Files written as .partial, renamed on close (clean crash detection)
  • Logs stats to syslog every 60 seconds
  • Runs as a systemd template service

Single binary, two modes

orion-capture --interface eth0 --datadir /data/darknet/current/ --mode zc     # production
orion-capture --interface eth0 --datadir /tmp/test/ --mode dev                # testing
  • zc = PF_RING Zero Copy, kernel bypass. Requires ZC license + compatible NIC.
  • dev = PF_RING standard mode. Works on any NIC with pf_ring module loaded.

Same binary, same output format. Mode selects the capture backend.

Build

Dev testing (standard PF_RING, no ZC):

cargo build --release

Production (with ZC support):

cargo build --release --features zc

Requirements:

  • PF_RING installed from packages.ntop.org
  • Rust toolchain (rustup.rs)
  • For ZC mode: ZC license in /etc/pf_ring/, hugepages, compatible NIC

Install

sudo install -m 755 target/release/orion-capture /usr/local/sbin/
sudo mkdir -p /etc/orion-capture
sudo cp v4-darknet.conf /etc/orion-capture/
sudo cp orion-capture@.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable --now orion-capture@v4-darknet

Testing on dev02

cargo build --release
sudo mkdir -p /tmp/capture-test
sudo ./target/release/orion-capture -i ens3 -d /tmp/capture-test/ -m dev -f none
# In another terminal:
ls /tmp/capture-test/YYYY/MM/DD/
tcpdump -r <file>.pcap.gz -c 5

Filter

Default darknet filter matches:

  • Destinations: 35.0.0.0/8, 205.213.36.0/23
  • Excludes sources: 103.44.167.0/24, 119.133.95.0/24, 45.238.230.0/24

Use --filter none to capture all traffic (dev testing).

Project structure

src/
  main.rs        - CLI, signal handling, capture loops (ZC + standard)
  filter.rs      - Darknet packet filter with unit tests
  writer.rs      - PCAP gzip writer with hourly rotation
  pfring_ffi.rs  - Raw C FFI bindings for PF_RING

About

PF_RING ZC packet capture replacement for the ORION Network Telescope. Rust-based, kernel-bypass capture with hourly PCAP rotation.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages