edrint is a tool to extract different types of metadata from network packets.
The tool (written in Golang) is designed to be general and
extensible to support various network data processing requirements such as
timeseries counters (i/o graph in wireshark), passive TCP measurements, byte pattern extraction etc.
The source of data is network packets which can be in a pcap or captured live from network interface.
There are 3 core components in this event driven architecture:
- A simple event bus (using topics and event handlers)
- Processor (can subscribe and publish different events)
- Telemetry Functions (Functions that operate within a
flow contextby receiving packets of a particular bidirectional flow)
A few Processors that come with the tool by default are:
- PacketParser (produces events of type
packet) - Flow (consumes
packets and createsflowstate (identified by 5-tuple)) - Classifier (associates a
classto aflow) - TelemetryManager (attaches
Telemetry Functionstoflows based on it'sclass) - Dumper (creates JSON dumps of any event)