C++ C CMake Makefile Python HTML Other
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.



Build Status Chat License

Visibility Across Space and Time (VAST) is a platform for network forensics at scale.


Ingest a PCAP trace into a local VAST node:

vast -n import pcap < trace.pcap

Query a local VAST node and get the result back as PCAP trace:

vast -n export pcap "sport > 60000/tcp && src !in" \
  | ipsumdump --collate -w - \
  | tcpdump -r - -nl

Start a VAST node in the foreground, listening at

vast -e start -f

Send Bro logs to a remote node:

zcat *.log.gz | vast import bro




Required dependencies:

  • A C++17 compiler:
    • GCC >= 8
    • Clang >= 6
    • Apple Clang >= 9.1
  • CMake
  • CAF (develop branch)

Optional dependencies:

Source Build

Building VAST involves the following steps:

make test
make install

The configure script is a small wrapper that passes build-related variables to CMake. For example, to use ninja as build generator, add --generator=Ninja to the command line. Passing --help shows all available options.

The doc target builds the API documentation locally:

make doc

Scientific Use

When referring to VAST in a scientific context, please use the following citation:

  author    = {Matthias Vallentin and Vern Paxson and Robin Sommer},
  title     = {{VAST: A Unified Platform for Interactive Network Forensics}},
  booktitle = {Proceedings of the USENIX Symposium on Networked Systems
               Design and Implementation (NSDI)},
  month     = {March},
  year      = {2016}

You can download the paper from the NSDI '16 proceedings.


VAST comes with a 3-clause BSD licence.