AetherLens is a high-performance, real-time network traffic analysis platform designed to visualize network flows and detect security anomalies.
The system operates as a distributed microservices architecture, leveraging the strengths of three different ecosystems:
- Rust (Core Engine): Low-level packet capture, parsing, and analysis.
- .NET 8 (Backend Service): High-throughput data aggregation, state management, and WebSocket broadcasting.
- Next.js 14 (Frontend): Reactive, high-frequency data visualization.
graph TD
subgraph "Core Layer (Rust)"
Sniffer[Packet Sniffer (pnet)]
Engine[Analysis Engine]
gRPC_Server[gRPC Server (Tonic)]
Sniffer -->|Raw Packets| Engine
Engine -->|Anomalies & Stats| gRPC_Server
end
subgraph "Service Layer (.NET 8)"
gRPC_Client[gRPC Client]
Processor[Event Processor]
SignalR[SignalR Hub]
gRPC_Server -->|Stream (aether.proto)| gRPC_Client
gRPC_Client --> Processor
Processor -->|Real-time Events| SignalR
end
subgraph "Presentation Layer (Next.js)"
Dashboard[Live Dashboard]
Charts[Traffic Visualization]
SignalR -->|WebSockets (MessagePack)| Dashboard
Dashboard --> Charts
end
The core engine (aether_core) is responsible for interfacing with the network adapter using libpnet (Windows Npcap).
- Packet Sniffer: Captures raw Ethernet frames in a zero-copy manner where possible.
- Protocol Analyzer: Dissects headers (Ethernet, IPv4/6, TCP/UDP) to extract metadata like source/dest IP, ports, and protocol type.
- Anomaly Detection:
- Port Scans: Tracks connection attempts to multiple ports on a single host within a short window.
- Suspicious Outbound: Flags connections to known bad ports or unusual protocols.
- gRPC Server: Streams structured
PacketMessageandSuspiciousConnectionMessageevents to the backend.
Technology Stack: Tokio, Tonic, Prost, Pnet, DashMap.
The backend (AetherLens.Api) acts as the central nervous system. It aggregates high-frequency streams from the Rust core and broadcasts summarized updates to connected clients.
- gRPC Client: Consumes the stream from the Rust core.
- Metrics Snapshotting: Uses
Interlockedoperations to maintain thread-safe counters for packet rates and latency without locking. - SignalR Hub: Broadcasts updates to web clients.
- Uses MessagePack protocol for binary serialization, significantly reducing payload size compared to JSON.
- Persistence (Optional): Can log critical events to a local SQLite database (
AetherDb).
Technology Stack: ASP.NET Core 8, SignalR, Grpc.Net.Client, Dapper, SQLite.
The dashboard (web-dashboard) provides a "War Room" style interface for monitoring network activity.
- Zustand Store: Manages application state (connected status, packet lists, anomalies) efficiently.
- SignalR Client: Connects to the backend hub and handles incoming binary streams.
- Recharts & Framer Motion: Renders smooth, animated charts and lists that update at 60fps.
- Tailwind CSS: Provides a responsive, dark-mode-first UI.
Technology Stack: Next.js 14, React 19, TypeScript, Tailwind CSS, Recharts.
- Capture: Rust core captures a packet.
- Analysis: Metadata is extracted and checked against rules.
- Stream: Metadata is sent via gRPC stream to .NET backend.
- Aggregation: Backend aggregates metrics (e.g., packets/sec) over 1-second windows.
- Broadcast: Backend pushes updates to frontend via SignalR (WebSockets).
- Render: Frontend updates the UI components.
See CONTRIBUTING.md for build instructions.