🔮 Visibility Across Space and Time
C++ C CMake Python Shell Gnuplot



Build Status Gitter

Visibility Across Space and Time (VAST) is a unified platform for network forensics and incident response.


Import a PCAP trace into a local VAST node in one shot:

vast -n import pcap < trace.pcap

Query a local node and get the result back as PCAP trace:

vast -n export pcap -h "sport > 60000/tcp && src !in" \
  | ipsumdump --collate -w - \
  | tcpdump -r - -nl

Start a node with debug log verbosity in the foreground:

vast -e -l 5 start -f

Send Bro logs to the remote node:

zcat *.log.gz | vast -e import bro



Source Build

Building VAST involves the following steps:

make test
make install

Required dependencies:

  • A C++14 compiler:
    • Clang >= 3.4
    • GCC >= 5
  • CMake
  • CAF (develop branch)



FreeBSD ships with a C++14 compiler. One can install as the dependencies as follows:

pkg install cmake google-perftools

Even though FreeBSD provides a CAF port, VAST depends the develop branch and therefore requires a manual CAF installation.


On recent Debian-based distributions (e.g., Ubuntu 15.04), getting a working toolchain involves installing the following packages:

apt-get install clang libc++-dev cmake libpcap-dev libgoogle-perftools-dev

CAF offers binary packages via openSUSE's Build Service.

Mac OS

Mac OS Yosemite also ships with a working C++14 compiler. Homebrew makes it easy to install the dependencies:

brew install cmake google-perftools
brew install caf --HEAD

Scientific Use

When referring to VAST in a scientific context, please use the following citation:

  author    = {Matthias Vallentin and Vern Paxson and Robin Sommer},
  title     = {{VAST: A Unified Platform for Interactive Network Forensics}},
  booktitle = {Proceedings of the USENIX Symposium on Networked Systems
               Design and Implementation (NSDI)},
  month     = {March},
  year      = {2016}

You can download the paper as part of the NSDI '16 proceedings.


VAST comes with a 3-clause BSD licence.