Real-Time Flow Analyzer

RoutePulse includes a Wireshark-inspired deep packet analysis interface built around a 3-zone layout: a Command Bar for filtering, a Flow Table for browsing, and 8 Analysis Tabs for deep dives. Live streaming mode via Socket.io delivers 50 flows every 2 seconds directly from an in-memory buffer, bypassing ClickHouse entirely for zero-latency observation. Reservoir sampling ensures uniform traffic representation across the time window regardless of volume spikes. The 14-column flow table displays Time, Source IP with country flag, Source AS, Source Port, direction arrow, Destination IP with flag, Destination AS, Destination Port with service name, Protocol badge, Estimated Bytes, Packets, Application, AS-PATH hops, and RPKI validation badge. Country flags use real PNG images from flagcdn.com at 16x12px retina resolution rather than Unicode characters. AbuseIPDB threat badges appear inline — orange for scores between 50-79% and red for 80% and above.

Clicking any flow row opens a 380px detail panel showing GeoIP location, 6 metric cards, RPKI validation status, AS-PATH chain visualization, threat intelligence data, reverse DNS, and full flow metadata. The 8 Analysis Tabs cover Protocol Hierarchy in a Wireshark-style tree, Conversations showing the top 50 bidirectional pairs, Endpoints with side-by-side top sources and destinations, AS Topology mapping the top 30 AS-to-AS links, Statistics with 5 KPIs and P50/P90/P95/P99 percentiles, I/O Graph with adaptive timeline, Geo Map using react-simple-maps with great-circle arcs, and Country Matrix rendered as a D3 chord diagram. A Wireshark-style filter expression syntax is supported alongside a Filter Builder Wizard covering 18 fields across 8 categories with 8 preset templates. Quick filter chips for TCP, UDP, ICMP, HTTPS, HTTP, DNS, SSH, and QUIC provide one-click filtering. Three-tier ASN enrichment uses a 50K-entry LRU cache as Tier 1, direct RIB lookup with a 500ms timeout as Tier 2, and WhoisService as Tier 3, achieving 98.8% IPv4 and 99.7% IPv6 enrichment rates. Results can be exported as CSV or JSON, queries can be bookmarked via URL serialization, and reverse DNS display can be toggled on or off.

Key Capabilities

• Wireshark-inspired 3-zone interface: Command Bar, Flow Table, and 8 Analysis Tabs for deep packet analysis
• Live streaming via Socket.io delivering 50 flows every 2 seconds from in-memory buffer for zero-latency observation
• Reservoir sampling ensuring uniform traffic representation regardless of volume spikes
• 14-column flow table with country flags (real PNGs from flagcdn.com), protocol badges, and RPKI validation indicators
• Inline AbuseIPDB threat badges: orange for 50-79% and red for 80%+ threat scores
• 380px click-to-expand detail panel with GeoIP, metric cards, RPKI status, AS-PATH chain, threat intel, and rDNS
• 8 Analysis Tabs: Protocol Hierarchy, Conversations, Endpoints, AS Topology, Statistics (P50-P99), I/O Graph, Geo Map, Country Matrix
• Wireshark-style filter syntax with Filter Builder Wizard covering 18 fields, 8 categories, and 8 preset templates
• Quick filter chips for TCP, UDP, ICMP, HTTPS, HTTP, DNS, SSH, and QUIC
• Three-tier ASN enrichment: 50K LRU cache, RIB direct lookup (500ms timeout), WhoisService fallback
• 98.8% IPv4 and 99.7% IPv6 enrichment rates for comprehensive traffic attribution
• CSV/JSON export, URL bookmark serialization for saved queries, and toggleable reverse DNS display

Engineered and operated by the GOLINE SOC & Network Engineering team.

Explore all RoutePulse features →