Skip to content
🔮 Visibility Across Space and Time
Branch: master
Clone or download
mavam Merge pull request #475
Add import --num option and enable type query integration test
Latest commit bcbbbcf Mar 22, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
aux Remove date library from source tree Mar 1, 2019
doc Update documentation for -n options Mar 22, 2019
libvast Merge pull request #475 Mar 22, 2019
libvast_test Set artifact path at test executable build time Mar 18, 2019
vast Add support for static builds and IPO Mar 5, 2019
.gitignore Prettify changelog and add more content Mar 22, 2019
COPYING Tweak license wording. Jul 14, 2014
Dockerfile Fix command chaining in Dockerfile Mar 6, 2019
Jenkinsfile Use docker network in docker example Mar 6, 2019 Perform some wordsmithing and reformatting Nov 6, 2018
VERSION Add CMake build harness and repo meta data. Mar 21, 2012
configure Save the images from Mar 6, 2019
vast.conf Add caf_stream to default logging black list Feb 27, 2019


Build Status Coverage Chat License

Visibility Across Space and Time (VAST) is a platform for network forensics at scale.


Start a VAST node:

vast start

Ingest a bunch of Zeek logs:

zcat *.log.gz | vast import zeek

Run a query over the last hour, rendered as JSON:

vast export json '&time > now - 1 hour && :addr =='

Ingest a PCAP trace with a 1024-byte flow cut-off:

vast import pcap -c 1024 < trace.pcap

Run a query over PCAP data, sort the packets, and feed them into tcpdump:

vast export pcap "sport > 60000/tcp && src !in" \
  | ipsumdump --collate -w - \
  | tcpdump -r - -nl




Required dependencies:

  • A C++17 compiler:
    • GCC >= 8
    • Clang >= 5
    • Apple Clang >= 9.1
  • CMake
  • CAF (master branch)

Optional dependencies:

Source Build

Building VAST involves the following steps:

make test
make install

The configure script is a small wrapper that passes build-related variables to CMake. For example, to use ninja as build generator, add --generator=Ninja to the command line. Passing --help shows all available options.

The doc target builds the API documentation locally:

make doc


The source ships with the convenience script, which will create the Docker images and save them as tar.gz archives (when invoked without arguments).

To run the container, you need to provide a volume to the mountpoint /data:

The default command will print the help message

docker run -v /tmp/vast:/data vast-io/vast

Create a Docker network since we'll be running multiple containers which connect to each other:

docker network create -d bridge --subnet vast_nw

Use detach and publish the default port to start a VAST node

docker run --network=vast_nw --name=vast_node --ip="" -d -v /tmp/vast:/data vast-io/vast start

Import a Zeek conn log to the detached server instance

docker run --network=vast_nw -i -v /tmp/vast:/data vast-io/vast -e '' import zeek < zeek_conn.log

Other subcommands like export and status can be used just like the import command shown above.

Scientific Use

When referring to VAST in a scientific context, please use the following citation:

  author    = {Matthias Vallentin and Vern Paxson and Robin Sommer},
  title     = {{VAST: A Unified Platform for Interactive Network Forensics}},
  booktitle = {Proceedings of the USENIX Symposium on Networked Systems
               Design and Implementation (NSDI)},
  month     = {March},
  year      = {2016}

You can download the paper from the NSDI '16 proceedings.


VAST comes with a 3-clause BSD licence.

You can’t perform that action at this time.