deepfence
diff --git a/‎.github/workflows/mdbook.yml
+26 b/‎.github/workflows/mdbook.yml
+26
diff --git a/‎.gitignore
+3 b/‎.gitignore
+3
diff --git a/‎README.md
+40-242 b/‎README.md
+40-242
diff --git a/‎docs/book.toml
+6 b/‎docs/book.toml
+6
diff --git a/‎docs/src/README.md
+1 b/‎docs/src/README.md
+1
diff --git a/‎docs/src/SUMMARY.md
+12 b/‎docs/src/SUMMARY.md
+12
@@ -0,0 +1,26 @@
+name: mdBook
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Build book
+      run: |
+        cargo install mdbook
+        pushd docs
+        mdbook build
+        mdbook test
+        popd
+    - name: Deploy website
+      if: github.event_name == 'push'
+      uses: JamesIves/[email protected]
+      with:
+        branch: gh-pages
+        folder: book
@@ -25,3 +25,6 @@ go.work
 
 # Binary
 packetstreamer
+
+# Documentation
+docs/book/
@@ -1,278 +1,76 @@
+[![Book](https://img.shields.io/website?url=https%3A%2F%2Fdeepfence.github.io%2FPacketStreamer%2F)](https://deepfence.github.io/PacketStreamer/)
 [![GitHub license](https://img.shields.io/github/license/deepfence/PacketStreamer)](https://github.com/deepfence/PacketStreamer/blob/master/LICENSE)
 [![GitHub stars](https://img.shields.io/github/stars/deepfence/PacketStreamer)](https://github.com/deepfence/PacketStreamer/stargazers)
 [![GitHub issues](https://img.shields.io/github/issues/deepfence/PacketStreamer)](https://github.com/deepfence/PacketStreamer/issues)
 [![Slack](https://img.shields.io/badge/[email protected]?logo=slack)](https://join.slack.com/t/deepfence-community/shared_invite/zt-podmzle9-5X~qYx8wMaLt9bGWwkSdgQ)
 
-
 # PacketStreamer
 
-Deepfence PacketStreamer is a high-performance remote packet capture and collection tool. It is used by Deepfence's [ThreatStryker](https://deepfence.io/threatstryker/) security observability platform to gather network traffic on demand from cloud workloads for forensic analysis.
+Deepfence PacketStreamer is a high-performance remote packet capture and
+collection tool. It is used by Deepfence's [ThreatStryker](https://deepfence.io/threatstryker/)
+security observability platform to gather network traffic on demand from cloud
+workloads for forensic analysis.
 
 Primary design goals:
 
 * Stay light, capture and stream, no additional processing
-* Portability, works across virtual machines, Kubernetes and AWS Fargate. Linux and Windows.
-
-PacketStreamer **sensors** are started on the target servers. Sensors capture traffic, apply filters, and then stream the traffic to a central reciever. Traffic streams may be compressed and/or encrypted using TLS.
-
-The PacketStreamer **reciever** accepts PacketStreamer streams from multiple remote sensors, and writes the packets to a local `pcap` capture file
-
-<p align="center"><img src="/images/readme/packetstreamer.png" width="66%"/><p>
-
-PacketStreamer sensors collect raw network packets on remote hosts.  It selects packets to capture using a BPF filter, and forwards them to a central reciever process where they are written in pcap format.  Sensors are very lightweight and impose little performance impact on the remote hosts.  PacketStreamer sensors can be run on bare-metal servers, on Docker hosts, and on Kubernetes nodes.
-
-The PacketStreamer receiver accepts network traffic from multiple sensors, collecting it into a single, central `pcap` file.  You can then process the pcap file or live feed the traffic to the tooling of your choice, such as `Zeek`, `Wireshark` `Suricata`, or as a live stream for Machine Learning models.
-
-### When to use PacketStreamer
-
-PacketStreamer meets more general use cases than existing alternatives. For example, [PacketBeat](https://github.com/elastic/beats/tree/master/packetbeat) captures and parses the packets on multiple remote hosts, assembles transactions, and ships the processed data to a central ElasticSearch collector. [ksniff](https://github.com/eldadru/ksniff) captures raw packet data from a single Kubernetes pod.
-
-Use PacketStreamer if you need a lightweight, efficient method to collect raw network data from multiple machines for central logging and analysis.
-
-### Who uses PacketStreamer?
-
- * Deepfence [ThreatStryker](https://deepfence.io/threatstryker/) uses PacketStreamer to capture traffic from production platforms for forensics and  anomaly detection.
-
-
-# Quickstart: Build and Run PacketStreamer
-
-## Building PacketStreamer
-
-Build the `packetstreamer` binary using the `go` toolchain as follows:
-
-```bash
-make
-```
-
-## Run a PacketStreamer receiver
-
-```bash
-packetstreamer receiver --config [configuration_file]
-```
-
-You can use an example configuration file:
-
-```bash
-packetstreamer receiver --config ./contrib/config/receiver-local.yaml
-```
-
-You can process the `pcap` output in a variety of ways:
-
-```bash
-# pass the output file /tmp/dump_file to tcpdump:
-tail -c +1 -f /tmp/dump_file | tcpdump -r -
-```
-
-```bash
-# Edit the configuration to write to the special name 'stdout', and pipe output to tcpdump:
-./packet-streamer receiver --config ./contrib/config/receiver-stdout.yaml | tcpdump -r -
-```
-
-## Run a PacketStreamer sensor
-
-```bash
-sudo packetstreamer sensor --config [configuration_file]
-```
-
-You can use an example configuration file:
-
-```bash
-sudo packetstreamer sensor --config ./contrib/config/sensor-local.yaml
-```
-
-When running the sensor remotely, edit the configuration file to target the remote receiver.
-
-## Testing PacketStreamer
-
-You can generate some test traffic using your favorite load generator - `ab`, `wrk`, `httperf`, `vegeta`.  For example, to use vegeta:
-
-```bash
-# install vegeta
-go install github.com/tsenart/vegeta@latest
-
-echo 'GET http://some_ip:80' | vegeta attack -rate 100 -duration 5m | tee results.bin | vegeta report
-```
-
-# Advanced Build Options
-
-Use the `RELEASE` parameter to strip the binary for a production environment:
-
-```bash
-make RELEASE=1
-```
-
-Use the `STATIC` parameter to statically-link the binary:
-
-```bash
-make STATIC=1
-```
-
-## Build using Docker
-
-Use the `docker-bin` target to build `packetstreamer` with Docker. The binary will be statically linked with `musl` and `libpcap`, making it portable across Linux distributions:
-
-```bash
-make docker-bin
-
-# Alternatively, build a stripped release binary
-make docker-bin RELEASE=1
-```
-
-## Build a Container Image
-
-Use the `docker-image` target to build a container image:
-
-```bash
-make docker-image
-
-# Alternatively, build a stripped release binary
-make docker-image RELEASE=1
-```
-
-## Deploy on Kubernetes
-
-PacketStreamer can be deployed on Kubernetes using Helm:
-
-```bash
-kubectl apply -f ./contrib/kubernetes/namespace.yaml
-helm install packetstreamer ./contrib/helm/ --namespace packetstreamer
-```
-
-By default, the Helm chart deploys a DaemonSet with sensor on all nodes and one receiver instance. For the custom configuration values, please refer to the [values.yaml file](/contrib/helm/values.yaml).
-
-# Advanced Test Scenarios
-
-## Testing on Docker
-
-PacketStreamer container images can be tested locally on Docker.
-
-### Receiver side
-
-```bash
-docker run --rm -it \
-    -v $(pwd)/contrib/config:/etc/packetstreamer \
-    -v $HOME/container_tmp:/tmp \
-    -p 8081:8081 \
-    deepfenceio/deepfence_packetstreamer \
-    receiver --config /etc/packetstreamer/receiver.yaml
-```
-
-### Sensor side
-
-```bash
-docker run --rm -it \
-    --cap-add=NET_ADMIN --net=host \
-    -v $(pwd)/contrib/config:/etc/packetstreamer \
-    deepfenceio/deepfence_packetstreamer \
-    sensor --config /etc/packetstreamer/sensor-local.yaml
-```
-
-The sensor requires `--net=host` and `NET_ADMIN` capability in order to capture all of the packets on the host.
-
-```bash
-echo 'GET http://some_ip:80' | vegeta attack -rate 100 -duration 5m | tee results.bin | vegeta report
-```
-
-The `pcap` dump file is available in `$HOME/container_tmp/dump_file`.
-
-## Testing on Vagrant
-
-On a single host, you may use [Vagrant](https://www.vagrantup.com) to run sensor and receiver hosts easily:
-
-Install Vagrant according to [the official instructions](https://www.vagrantup.com/downloads). By default, Vagrant uses Virtualbox; you should install [vagrant-libvirt](https://github.com/vagrant-libvirt/vagrant-libvirt), using `vagrant plugin install vagrant-libvirt`.
-
-Start the two Vagrant VMs, `receiver` and `sensor`:
-
-```bash
-vagrant up
-
-vagrant status
-# Current machine states:
-#
-# receiver                  running (libvirt)
-# sensor                    running (libvirt)
-```
-
-SSH to those VMs (in separate terminals) by using the following commands:
-
-```bash
-vagrant ssh receiver
-```
-
-```bash
-vagrant ssh sensor
-```
-
-On each, enter the source code directory:
+* Portability, works across virtual machines, Kubernetes and AWS Fargate. Linux
+  and Windows.
 
-### Receiver side
+PacketStreamer **sensors** are started on the target servers. Sensors capture
+traffic, apply filters, and then stream the traffic to a central reciever.
+Traffic streams may be compressed and/or encrypted using TLS.
 
-```bash
-cd PacketStreamer
-./packetstreamer receiver --config ./contrib/config/receiver-vagrant.yaml
-```
+The PacketStreamer **receiver** accepts PacketStreamer streams from multiple
+remote sensors, and writes the packets to a local `pcap` capture file
 
-### Sensor side
+<p align="center"><img src="https://raw.githubusercontent.com/deepfence/PacketStreamer/main/images/readme/packetstreamer.png"/><p>
 
-```bash
-cd PacketStreamer
-sudo ./packetstreamer --config ./contrib/config/sensor-vagrant.yaml
-```
+PacketStreamer sensors collect raw network packets on remote hosts. It selects packets
+to capture using a BPF filter, and forwards them to a central reciever process
+where they are written in pcap format.  Sensors are very lightweight and impose
+little performance impact on the remote hosts. PacketStreamer sensors can be
+run on bare-metal servers, on Docker hosts, and on Kubernetes nodes.
 
-Generate some live traffic
+The PacketStreamer receiver accepts network traffic from multiple sensors,
+collecting it into a single, central `pcap` file.  You can then process the 
+pcap file or live feed the traffic to the tooling of your choice, such as
+`Zeek`, `Wireshark` `Suricata`, or as a live stream for Machine Learning models.
 
-```bash
-echo 'GET http://some_ip:80' | vegeta attack -rate 100 -duration 5m | tee results.bin | vegeta report
-```
+## When to use PacketStreamer
 
-# PacketStreamer Configuration
+PacketStreamer meets more general use cases than existing alternatives. For
+example, [PacketBeat](https://github.com/elastic/beats/tree/master/packetbeat)
+captures and parses the packets on multiple remote hosts, assembles
+transactions, and ships the processed data to a central ElasticSearch
+collector. [ksniff](https://github.com/eldadru/ksniff) captures raw packet
+data from a single Kubernetes pod.
 
-`packetstreamer` is configured using a yaml-formatted configuration file.
+Use PacketStreamer if you need a lightweight, efficient method to collect raw
+network data from multiple machines for central logging and analysis.
 
-```yaml
-input:                         # required in 'receiver' mode
-  address: _ip-address_
-  port: _listen-port_
-output:
-  server:                      # required in 'sensor' mode
-    address: _ip-address_
-    port: _listen-port_
-  file:                        # required in 'receiver' mode
-    path: _filename_|stdout    # 'stdout' is a reserved name. Receiver will write to stdout
-tls:                           # optional
-  enable: _true_|_false_
-  certfile: _filename_
-  keyfile: _filename_
-auth:                          # optional; receiver and sensor must use same shared key
-  enable: _true_|_false_
-  key: _string_
-compressBlockSize: _integer_   # optional; default: 65
-inputPacketLen: _integer_      # optional; default: 65535
-logFilename: _filename_        # optional
-pcapMode: _Allow_|_Deny_|_All_ # optional
-capturePorts: _list-of-ports_  # optional
-captureInterfacesPorts: _map: interface-name:port_ # optional
-ignorePorts: _list-of-ports_   # optional
-```
+## Who uses PacketStreamer?
 
-You can find example configuration files in the [`/contrib/config/`](contrib/config/) folder.
+ * Deepfence [ThreatStryker](https://deepfence.io/threatstryker/) uses
+   PacketStreamer to capture traffic from production platforms for forensics
+   and anomaly detection.
 
-# Get in touch
+## Get in touch
 
 Thank you for using PacketStreamer.
 
 * [<img src="https://img.shields.io/badge/[email protected]?logo=slack">](https://join.slack.com/t/deepfence-community/shared_invite/zt-podmzle9-5X~qYx8wMaLt9bGWwkSdgQ) Got a question, need some help?  Find the Deepfence team on Slack
-* https://github.com/deepfence/PacketStreamer/issues: Got a feature request or found a bug?  Raise an issue
-* [productsecurity at deepfence dot io](SECURITY.md): Found a security issue?  Share it in confidence
+* https://github.com/deepfence/PacketStreamer/issues: Got a feature request or found a bug? Raise an issue
+* [productsecurity *at* deepfence *dot* io](SECURITY.md): Found a security issue? Share it in confidence
 * Find out more at [deepfence.io](https://deepfence.io/)
 
-# Security and Support
+## Security and Support
 
 For any security-related issues in the PacketStreamer project, contact [productsecurity *at* deepfence *dot* io](SECURITY.md).
 
 Please file GitHub issues as needed, and join the Deepfence Community [Slack channel](https://join.slack.com/t/deepfence-community/shared_invite/zt-podmzle9-5X~qYx8wMaLt9bGWwkSdgQ).
 
-# License
+## License
 
 The Deepfence PacketStreamer project (this repository) is offered under the [Apache2 license](https://www.apache.org/licenses/LICENSE-2.0).
 
 
@@ -0,0 +1,6 @@
+[book]
+authors = ["Michal Rostecki"]
+language = "en"
+multilingual = false
+src = "src"
+title = "PacketStreamer"
@@ -0,0 +1 @@
+../../README.md
@@ -0,0 +1,12 @@
+# Summary
+
+- [Introduction](./README.md)
+- [Quickstart](./quickstart/README.md)
+  - [Building](./quickstart/building.md)
+  - [Using locally](./quickstart/local.md)
+  - [Using with Docker](./quickstart/docker.md)
+  - [Using on Kubernetes](./quickstart/kubernetes.md)
+  - [Using on Vagrant](./quickstart/vagrant.md)
+- [Using with other tools](./tools/README.md)
+  - [Suricata](./tools/suricata.md)
+- [Configuration](./configuration.md)