td

A modern tcpdump in Rust. JSON output. TLS decryption. eBPF backend.

🚧 Phase 2 deliverable — slated for ~M5-M7. See ROADMAP.md and DESIGN.md.

✨ Why（draft）

• JSON-first — every event is structured; pipe into jq or Vector.
• TLS decryption built in — SSLKEYLOGFILE → decrypted HTTP/2 in your terminal.
• Pcapng with embedded keylog — td -w session.pcapng --tls produces a pcapng your colleague can open in Wireshark and see decrypted traffic.
• eBPF backend — CAP_BPF instead of root, no dropped packets at 10 Gbps.
• Same BPF syntax as tcpdump — your tcpdump -i eth0 'tcp port 443' mental model carries over verbatim.

📦 Install

# (Coming with 0.1.0 release)
cargo install td

⚡ Quickstart（planned）

td -i eth0 'tcp port 443'                # classic tcpdump syntax
td -i eth0 -o ndjson | jq .              # JSON pipeline
td -w trace.pcapng --tls -i eth0         # save pcapng with TLS keys embedded
td -r capture.pcap --tls -o json         # offline analysis
td --tui                                  # interactive flow browser

🆚 vs tcpdump

	tcpdump	td
Language	C	Rust
Memory safety	⚠️ (long CVE history)	✅
JSON output	❌	✅
TLS decryption	❌	✅
Pcapng with DSB	❌	✅
TUI	❌	✅
Single static binary	❌ (libpcap dep)	✅ (musl)
Same BPF syntax	✅	✅ (via libpcap_compile)

🔗 Related tools

• ngr — grep payloads inside captured traffic.
• iop — eBPF iotop alternative.

License

MIT OR Apache-2.0.

Acknowledgements

• Van Jacobson, Craig Leres, Steven McCanne — original tcpdump authors.
• Wireshark.