chore: add CI, README, LICENSE, and rustfmt config

.github/workflows/ci.yml

@@ -0,0 +1,68 @@
+name: CI
+
+on:
+  push:
+    branches: [develop, main]
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+    branches: [develop, main]
+
+env:
+  CARGO_TERM_COLOR: always
+  RUSTFLAGS: -Dwarnings
+
+jobs:
+  semantic-pr:
+    name: Semantic PR
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    steps:
+      - uses: amannn/action-semantic-pull-request@v6
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          types: |
+            feat
+            fix
+            docs
+            style
+            refactor
+            perf
+            test
+            build
+            ci
+            chore
+            revert
+          requireScope: false
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+      - run: cargo test --all-targets
+
+  clippy:
+    name: Clippy
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          components: clippy
+      - uses: Swatinem/rust-cache@v2
+      - run: cargo clippy --all-targets -- -D warnings
+
+  fmt:
+    name: Format
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt
+      - run: cargo fmt --all --check

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Zious11
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,131 @@
+# wirerust
+
+Fast PCAP forensics and network triage CLI tool written in Rust.
+
+Inspired by [pcapper](https://github.com/SackOfHacks/pcapper) — reimagined for speed: zero-copy packet parsing, single static binary, and designed for incident response jumpkits.
+
+## Features
+
+- **One-pass triage** — hosts, services, protocols, and threat signals from pcap/pcapng files
+- **Protocol analysis** — DNS traffic analysis with extensible analyzer framework
+- **Threat detection** — finding system with verdict/confidence scoring and MITRE ATT&CK mapping
+- **Multiple outputs** — colored terminal, JSON export
+- **Fast** — Rust + etherparse zero-copy parsing, built for multi-GB captures
+
+## Install
+
+```bash
+cargo install --path .
+```
+
+Or build from source:
+
+```bash
+git clone https://github.com/Zious11/wirerust.git
+cd wirerust
+cargo build --release
+# Binary at target/release/wirerust
+```
+
+## Usage
+
+### Analyze a PCAP file
+
+```bash
+# Quick triage with DNS analysis
+wirerust analyze capture.pcap --dns
+
+# Run all analyzers
+wirerust analyze capture.pcap --all
+
+# JSON output
+wirerust analyze capture.pcap --all --output-format json
+
+# Multiple files or directories
+wirerust analyze *.pcap /path/to/pcaps/ --all
+```
+
+### Generate a summary
+
+```bash
+wirerust summary capture.pcap
+wirerust summary /path/to/pcaps/ --output-format json
+```
+
+### Options
+
+```
+wirerust [OPTIONS] <COMMAND>
+
+Commands:
+  analyze   Analyze PCAP files for threats and anomalies
+  summary   Generate a triage summary of PCAP files
+
+Options:
+  -v, --verbose              Enable verbose output
+      --no-color             Disable colored output
+      --output-format <FMT>  Output format: json, csv
+  -h, --help                 Print help
+  -V, --version              Print version
+```
+
+### Analyze flags
+
+```
+--threats    Run threat detection
+--dns        Analyze DNS traffic
+--http       Analyze HTTP traffic (coming soon)
+--tls        Analyze TLS handshakes (coming soon)
+--beacon     Detect C2 beaconing patterns (coming soon)
+-a, --all    Run all analyzers
+-f, --filter BPF filter expression
+```
+
+## Architecture
+
+```
+PCAP file → Reader → Decoder → Analyzers → Reporter
+                        ↓           ↓
+                    ParsedPacket  Findings
+                        ↓
+                     Summary
+```
+
+| Component | Crate | Purpose |
+|-----------|-------|---------|
+| Reader | `pcap-file` | Parse pcap/pcapng files |
+| Decoder | `etherparse` | Zero-copy packet parsing |
+| CLI | `clap` | Argument parsing |
+| Output | `owo-colors`, `serde_json` | Terminal + JSON |
+
+## Extending
+
+Add a new protocol analyzer by implementing the `ProtocolAnalyzer` trait:
+
+```rust
+use wirerust::analyzer::ProtocolAnalyzer;
+use wirerust::decoder::ParsedPacket;
+use wirerust::findings::Finding;
+
+impl ProtocolAnalyzer for MyAnalyzer {
+    fn name(&self) -> &'static str { "MyProtocol" }
+    fn can_decode(&self, packet: &ParsedPacket) -> bool { /* port check */ }
+    fn analyze(&mut self, packet: &ParsedPacket) -> Vec<Finding> { /* logic */ }
+    fn summarize(&self) -> AnalysisSummary { /* stats */ }
+}
+```
+
+## Roadmap
+
+See [open issues](https://github.com/Zious11/wirerust/issues) for planned features:
+
+- HTTP and TLS analyzers
+- C2 beaconing detection
+- CSV and SQLite export
+- MITRE ATT&CK mapping
+- Parallel file processing
+- ICS/OT protocols (Modbus, DNP3)
+
+## License
+
+[MIT](LICENSE)

rustfmt.toml

@@ -0,0 +1,4 @@
+edition = "2024"
+max_width = 100
+use_field_init_shorthand = true
+use_try_shorthand = true

src/analyzer/dns.rs

@@ -43,12 +43,10 @@ impl ProtocolAnalyzer for DnsAnalyzer {
 
     fn can_decode(&self, packet: &ParsedPacket) -> bool {
         match &packet.transport {
-            TransportInfo::Udp { src_port, dst_port } => {
-                Self::is_dns_port(*src_port, *dst_port)
-            }
-            TransportInfo::Tcp { src_port, dst_port, .. } => {
-                Self::is_dns_port(*src_port, *dst_port)
-            }
+            TransportInfo::Udp { src_port, dst_port } => Self::is_dns_port(*src_port, *dst_port),
+            TransportInfo::Tcp {
+                src_port, dst_port, ..
+            } => Self::is_dns_port(*src_port, *dst_port),
             TransportInfo::None => false,
         }
     }

src/decoder.rs

@@ -1,6 +1,6 @@
 use std::net::IpAddr;
 
-use anyhow::{anyhow, Result};
+use anyhow::{Result, anyhow};
 use etherparse::SlicedPacket;
 use serde::Serialize;
 
@@ -67,8 +67,7 @@ impl ParsedPacket {
 }
 
 pub fn decode_packet(data: &[u8]) -> Result<ParsedPacket> {
-    let sliced =
-        SlicedPacket::from_ethernet(data).map_err(|e| anyhow!("Parse error: {e}"))?;
+    let sliced = SlicedPacket::from_ethernet(data).map_err(|e| anyhow!("Parse error: {e}"))?;
 
     let (src_ip, dst_ip, ip_protocol) = match &sliced.net {
         Some(etherparse::NetSlice::Ipv4(ipv4)) => {
@@ -91,22 +90,24 @@ pub fn decode_packet(data: &[u8]) -> Result<ParsedPacket> {
     };
 
     let (protocol, transport) = match &sliced.transport {
-        Some(etherparse::TransportSlice::Tcp(tcp)) => {
-            (Protocol::Tcp, TransportInfo::Tcp {
+        Some(etherparse::TransportSlice::Tcp(tcp)) => (
+            Protocol::Tcp,
+            TransportInfo::Tcp {
                 src_port: tcp.source_port(),
                 dst_port: tcp.destination_port(),
                 syn: tcp.syn(),
                 ack: tcp.ack(),
                 fin: tcp.fin(),
                 rst: tcp.rst(),
-            })
-        }
-        Some(etherparse::TransportSlice::Udp(udp)) => {
-            (Protocol::Udp, TransportInfo::Udp {
+            },
+        ),
+        Some(etherparse::TransportSlice::Udp(udp)) => (
+            Protocol::Udp,
+            TransportInfo::Udp {
                 src_port: udp.source_port(),
                 dst_port: udp.destination_port(),
-            })
-        }
+            },
+        ),
         Some(etherparse::TransportSlice::Icmpv4(_) | etherparse::TransportSlice::Icmpv6(_)) => {
             (Protocol::Icmp, TransportInfo::None)
         }

src/main.rs

@@ -4,14 +4,14 @@ use anyhow::{Context, Result};
 use clap::Parser;
 use indicatif::{ProgressBar, ProgressStyle};
 
-use wirerust::analyzer::dns::DnsAnalyzer;
 use wirerust::analyzer::ProtocolAnalyzer;
+use wirerust::analyzer::dns::DnsAnalyzer;
 use wirerust::cli::{Cli, Commands, OutputFormat};
 use wirerust::decoder::decode_packet;
 use wirerust::reader::PcapSource;
+use wirerust::reporter::Reporter;
 use wirerust::reporter::json::JsonReporter;
 use wirerust::reporter::terminal::TerminalReporter;
-use wirerust::reporter::Reporter;
 use wirerust::summary::Summary;
 
 fn main() -> Result<()> {
@@ -20,7 +20,9 @@ fn main() -> Result<()> {
     let use_color = !cli.no_color && std::env::var("NO_COLOR").is_err();
 
     match &cli.command {
-        Commands::Analyze { targets, dns, all, .. } => {
+        Commands::Analyze {
+            targets, dns, all, ..
+        } => {
             run_analyze(targets, *dns || *all, use_color, &cli)?;
         }
         Commands::Summary { targets, .. } => {
@@ -48,9 +50,9 @@ fn run_analyze(
                 .with_context(|| format!("Failed to read {}", path.display()))?;
 
             let pb = ProgressBar::new(source.packets.len() as u64);
-            pb.set_style(
-                ProgressStyle::with_template("[{elapsed_precise}] {bar:40} {pos}/{len} packets")?
-            );
+            pb.set_style(ProgressStyle::with_template(
+                "[{elapsed_precise}] {bar:40} {pos}/{len} packets",
+            )?);
 
             for raw in &source.packets {
                 if let Ok(parsed) = decode_packet(&raw.data) {
@@ -87,11 +89,7 @@ fn run_analyze(
     Ok(())
 }
 
-fn run_summary(
-    targets: &[std::path::PathBuf],
-    use_color: bool,
-    cli: &Cli,
-) -> Result<()> {
+fn run_summary(targets: &[std::path::PathBuf], use_color: bool, cli: &Cli) -> Result<()> {
     let mut summary = Summary::new();
 
     for target in targets {
@@ -132,9 +130,10 @@ fn resolve_targets(target: &Path) -> Result<Vec<std::path::PathBuf>> {
             let path = entry.path();
             if path.is_file()
                 && let Some(ext) = path.extension()
-                    && (ext == "pcap" || ext == "pcapng") {
-                        files.push(path);
-                    }
+                && (ext == "pcap" || ext == "pcapng")
+            {
+                files.push(path);
+            }
         }
         files.sort();
         return Ok(files);

src/reader.rs

@@ -17,8 +17,7 @@ pub struct PcapSource {
 
 impl PcapSource {
     pub fn from_pcap_reader<R: Read>(reader: R) -> Result<Self> {
-        let mut pcap_reader =
-            PcapReader::new(reader).context("Failed to parse pcap header")?;
+        let mut pcap_reader = PcapReader::new(reader).context("Failed to parse pcap header")?;
 
         let mut packets = Vec::new();
 

tests/analyzer_tests.rs

@@ -1,7 +1,7 @@
 use std::net::{IpAddr, Ipv4Addr};
 
-use wirerust::analyzer::dns::DnsAnalyzer;
 use wirerust::analyzer::ProtocolAnalyzer;
+use wirerust::analyzer::dns::DnsAnalyzer;
 use wirerust::decoder::{ParsedPacket, Protocol, TransportInfo};
 
 fn make_dns_packet(payload: &[u8]) -> ParsedPacket {