Retina enables high-speed network forensics by building a binary tailored to a specific experiment written in Rust. It provides convenient filtering capabilities to easily answer questions such as “Is the TLS SNI really random?” or “How many TLS handshake are destined to Netflix?”.

Tested at up to 160Gbps with a commodity server on a Stanford traffic TAP, it supports 5-100x higher traffic rates than standard “bloatware” IDSes.

Retina was published at SIGCOMM’22, as a result of a pleasant collaboration between Tom Barbette, now leading the Efficency of Networked Systems Group at UCLouvain and Gerry Wan, Fengchen Gong and Zakir Durumeric from Stanford University.

Retina got the 3 ACM badges for availability, reproducibility and functionality, check below if you want to fast-track to a ready-to-use docker image or learn how Retina can help you design a cybersecurity experiment with a virtually unlimited speed.

Retina in a nutshell

Retina is a network analysis framework that enables operators and researchers to ask complex questions about high-speed (>100gbE) network links. Retina allows users to easily subscribe to subsets of parsed application-layer sessions, reassembled network flows, or raw packets in real-time and to run arbitrary analysis code in a standard Rust-based software environment. Retina optimizes for:

  • Expressiveness: Retina supports arbitrarily complex processing of individual packets, reassembled connections, or parsed application-layer sessions using a simple filter and callback interface.

  • Performance: Retina is capable of real-time traffic analysis in high volume (100G+) environments, such as ISPs or academic institutions.

  • Deployability: Retina is readily deployable on a single multi-core server with commodity 100gbE NICs (e.g., Mellanox ConnectX-5 or Intel E810).

  • Security: Retina leverages compile-time memory safety guarantees offered by Rust to safely and efficiently process network traffic.

In this blog article, we’ll look at how Retina works with an example.

use retina_core::config::default_config;
use retina_core::subscription::TlsHandshake;
use retina_core::Runtime;
use retina_filtergen::filter;

#[filter("tls.sni ~ '^.*\\.com$'")]
fn main() {
    let cfg = default_config();
    let callback = |tls: TlsHandshake| {
        println!("{:?}", tls);
    let mut runtime = Runtime::new(cfg, filter, callback).unwrap();;

In this example, a complete experiment is defined to listen to subscribe to all TLS Handshakes matching a SNI ending by “.com”. In this simple example, we print the content of the TLS handshake.

Try it out !

A Docker image is available to run Retina without the hassle of installing DPDK and other dependencies. It is, however, not suitable for performance testing as it uses the DPDK PCAP driver and is limited to a single core. The GitHub repository also includes a tutorial and a video to start learning about Retina.

A CloudLab image is available to reproduce a few of the experiments shown in the paper on the CloudLab public testbed. The repository also includes the scripts and information to reproduce these experiments on your own testbed.

Or run the real thing on your own testbed, following our Github page.

Read more

paper ; github ; video