Skip to content

feature capture

EDAMAME Dev edited this page Feb 4, 2026 · 12 revisions

Traffic


Feature: capture

πŸ” Traffic

Overview The Traffic tab (desktop-only, requires EDAMAME Helper) provides real-time network monitoring with four sub-views. The Sunburst displays an animated circular visualization of connections organized by country, organization, and domain. Sessions shows a sortable table with destination, protocol, throughput, and duration for each connection. Processes groups traffic by application (Safari, Mail, Terminal, etc.) with session counts and bandwidth. Anomaly history lists sessions flagged by the Extended Isolation Forest ML algorithm as Suspicious or Abnormal (e.g., tor connections to darkweb, netcat to fake-paypal, python to trojan-dropper). Filter toggles let you focus on TCP/UDP, Normal/Suspicious/Abnormal traffic. Click any session to see full details including ASN, country, process path, and PID. The Start button initiates packet capture.

βš™οΈ Sub-Features

1. πŸ”§ Sunburst – Live Traffic Visualization

Description: The Sunburst tab displays a mesmerizing animated circular diagram showing your network traffic in real-time. The visualization uses concentric rings: the inner rings represent country codes (FR, US, DE), middle rings show organizations (Microsoft Corporation, Netflix Inc., Facebook Inc., LinkedIn Corp., Apple Inc., Amazon.com Inc.), and outer rings display domains (youtube.com, microsoft.com, facebook.com, apple.com, medium.com, zoom.us) and protocols (ssh, ftp, smtp, imap). Colors gradient from center outward in warm tones. At the top, toggle switches filter: 'Activated', 'Added', 'Inbound', 'UDP', 'TCP'. Status buttons filter by 'Normal' (green), 'Suspicious' (yellow), 'Abnormal' (red). Traffic stats show Inbound/Outbound/Total MB and session count. A 'Sessions/Process' toggle switches the organization method. The 'Depth' control (adjustable with +/-) changes ring count. The 'Start' button initiates packet capture. This desktop-only feature requires the EDAMAME Helper daemon.


List View Detail View
Sunburst – Live Traffic Visualization - List Sunburst – Live Traffic Visualization - Detail

Screenshot of Sunburst – Live Traffic Visualization - Multi-pane layout showing list and detail views


πŸ“ UI Elements & Data

  • Start/Stop Capture

    • Toggle packet capture on/off. Requires EDAMAME Helper daemon for elevated privileges (automatic on macOS/Linux, optional on Windows). On Windows, also requires Npcap installation for traffic capture capability.
  • ML Anomaly Detection – Extended Isolation Forest

    • Machine learning-based anomaly detection using Extended Isolation Forest algorithm. Analyzes 12 dimensions: process hash, duration, bytes, packets, interarrival timing, traffic ratio, packet size, regularity, rate, missed bytes, segments, and destination port. Flags suspicious (99.5th percentile) and anomalous (99.75th percentile) sessions.
  • Whitelist Profiles – Expected Traffic

    • Configure whitelist profiles defining expected network traffic. Sessions not matching whitelist rules are flagged as exceptions. Use built-in profiles or create custom whitelists for CI/CD security gates. Whitelist conformance can be checked programmatically via EDAMAME Posture CLI.

2. πŸ”§ Sessions – Connection Details Table

Description: The Sessions tab displays a sortable table of all network connections. Columns include: Destination (domain name like api.facebook.com, api.youtube.com, cdn.youtube.com), Protocol (TCP/UDP), Port/Service (smtp, ssh, ftp, imap with port numbers), Throughput in/out (data rates like 404.5B/s), Last capture (timestamp), and Duration (seconds). Click column headers to sort. Click any row to open a detail pane showing the full session context: a green checkmark with 'Normal'/'Suspicious'/'Abnormal' status, the process-to-destination flow (e.g., 'Mail -> api.facebook.com:587'), Port/Service details, Source and Destination IPs, ASN Owner (organization name), ASN Country, Domain, Top Level Domain, Process name and PID, executable Path, User, and CPU usage. The same filter toggles from the Sunburst view appear at the top. This provides deep packet inspection visibility for security investigations.


List View Detail View
Sessions – Connection Details Table - List Sessions – Connection Details Table - Detail

Screenshot of Sessions – Connection Details Table - Multi-pane layout showing list and detail views


πŸ“ UI Elements & Data

  • Session Details – Deep Inspection

    • Detailed card showing full session information: DNS lookup results, TLS certificate details, ASN organization and country, geolocation, and process attribution (PID, process name, path, command line). Available on Linux via eBPF or netstat fallback.
  • Dismiss – Mark Session as Safe

    • Mark a flagged session as safe. Choose to dismiss by specific session, by port, or by process to create persistent dismissal rules. Dismissed sessions stop contributing to alerts. Undismiss anytime to restore monitoring.

3. πŸ”§ Processes – Per-Application Traffic

Description: The Processes tab displays network activity organized by application. A sortable table shows: Process (expandable with > arrow, showing app names like Safari, Mail, Notes, Terminal, Messages, Finder), User (the account running the process), # sessions (connection count), Throughput In (data rate received, e.g., 4.2KB/s, 770.9B/s), and Throughput Out (data rate sent, e.g., 1.8KB/s, 284.3B/s). Click the > arrow next to any process to expand and see its individual network sessions. This hierarchical view makes it easy to identify which applications are consuming bandwidth, detect unexpected network activity from apps that shouldn't be connecting to the internet, and monitor process-level traffic patterns for security analysis.


Processes – Per-Application Traffic

Screenshot of Processes – Per-Application Traffic



4. πŸ”§ Anomaly history – Flagged Sessions

Description: The Anomaly history tab displays a timeline of sessions flagged by the ML anomaly detection engine. At the top, filter buttons show 'Abnormal' (red, most severe) and 'Suspicious' (yellow, moderate), plus a search field for 'process, ASN, domain...'. A Status filter toggles between 'Active' and 'Dismissed' sessions. Each entry shows: a warning icon (triangle for Abnormal, shield for Suspicious), the process-to-destination flow in bold (e.g., 'tor -> evil-c2.darkweb.onion:443', 'iodine -> google-public-dns-a.google.com:53', 'netcat -> fake-paypal.net:8443', 'python3 -> trojan-dropper.evil.org:22'), protocol and port (TCP:443, UDP:53), status badges ('Abnormal' in red or 'Suspicious' in yellow), optional tags (like 'tor_exit_node'), and timestamp. This view surfaces potentially malicious activity detected by the Extended Isolation Forest algorithm for immediate investigation.


List View Detail View
Anomaly history – Flagged Sessions - List Anomaly history – Flagged Sessions - Detail

Screenshot of Anomaly history – Flagged Sessions - Multi-pane layout showing list and detail views


πŸ“‹ Contents


🏠 Navigation


This page was automatically generated from feature definitions.

Clone this wiki locally