Building a Zero-Server Network Forensics Suite with Rust and WebAssembly

Andrew — Sat, 06 Jun 2026 16:59:27 +0000

Imagine you have a 50MB+ network capture (.pcap) from a critical infrastructure crash. You need to quickly find out why the network didn't converge. You could spin up Wireshark, or you could drop the file into a browser tab and get a full visual root-cause analysis in under 100ms.

That’s why I built Post-Mortem — an open-source suite of serverless web tools for network forensics.

The Problem with Traditional PCAP Parsing

Desktop Overhead: Launching heavy desktop clients for quick triage is annoying.
Security Risks: Uploading corporate network captures containing sensitive internal IPs and payloads to cloud-based parsers is a massive security compliance violation.

The Architecture: Rust + WASM to the Rescue

To achieve zero-server parsing with native-like performance, I paired Rust with WebAssembly.

The Engine (Rust): Handles raw byte slicing of pcap/pcapng structures and executes state machines for complex networking protocols.
The Bridge (wasm-pack): Compiles the Rust binary into a WebAssembly module (.wasm) with automated JavaScript glue-code.
The UI (Vanilla JS + CSS): A lightweight, ultra-fast dashboard that renders timelines, charts, and graphs instantly.

What it analyzes right now:

1. OSPF Post-Mortem (IP Protocol 89)

Tracks OSPF adjacency states. It automatically flags severe errors like Duplicate Router-IDs, MTU mismatches (which stall DBD exchanges), and Hello timer mismatches. It even simulates a force-directed layout to draw the live OSPF topology map using pure SVG.

2. DHCP Post-Mortem (UDP 67/68)

Deconstructs the classic DORA (Discover, Offer, Request, Acknowledge) sequence, mapping transaction IDs and tracking address allocation anomalies.

3. STP / RSTP / Rapid-PVST+ Post-Mortem

Analyzes Spanning Tree Protocol variants. It pinpoints exactly which bridge became the Root Bridge, captures Topology Change Notifications (TCNs), and tracks down loops and blocked ports.

The Power of Local-First Web Tools

Because the app relies entirely on WASM running in the browser thread, it is:

100% Private: Your packets never leave your computer.
Insanely Fast: Parses thousands of packets in milliseconds.
Portable: You can download the single index.html file along with the pkg directory, and run it completely offline in the middle of a data center with no internet access.

Next Steps & Open Source

The project is entirely open-source. I’m currently looking for feedback from fellow systems/network engineers and web developers.

Check out the repos here: https://github.com/stars/casablanque-code/lists/network-forensics

What protocol do you think I should tackle next? BGP, QUIC, or maybe a deep-dive TLS handshake analyzer?
I would like to get your feedback and test results.

CLI wrapper for Cloudflare Tunnel with Zero Trust

Andrew — Tue, 26 May 2026 17:34:57 +0000

I got tired of configuring Cloudflare Zero Trust manually, so I built a 15s CLI wrapper.
Every time I wanted to expose a new local service (like Grafana or a dev API) securely, the routine was always the same:
Open Cloudflare Dashboard.
Create a new Tunnel.
Configure Ingress rules.
Add a DNS CNAME record.
Switch to the Zero Trust panel.
Create an Access Application.
Set up an Access Policy to restrict access to my email.

It’s an amazing, enterprise-grade security stack, but doing this manually for the 10th time just to test something is an absolute UX nightmare.
I wanted something as simple as ngrok, but with Cloudflare's Zero Trust protection under the hood. Since I couldn't find a lightweight tool that does exactly this, I wrote zt in Go.

How it works
Now, when I need to share or expose a local service, I just run:

zt up grafana 3000

In about 15 seconds, it automatically handles the whole chain:

Creates the Cloudflare Tunnel.
Sets up DNS and Ingress.
Locks it behind Cloudflare Access (asks for email OTP by default).
Fires up cloudflared in the background and saves the state locally.

If I need it to be completely public (like an webhook endpoint), I just pass a flag: zt up api 8080 --public. If I want to share it with specific colleagues: --allow mail@example.com

When I'm done, zt down grafana wipes everything clean and stops the process.

The Stack
It’s a single binary written in Go, using the official Cloudflare API package. Configuration and state are kept locally in ~/.zt-config.json and ~/.zt-state.json (secured with 0600 permissions).

I’ve been using it daily in my home lab and dev environment, and it has saved me hours of clicking through web UIs.

The project is completely open-source (MIT). If you're managing self-hosted apps or often need to expose local ports securely, feel free to check it out, open an issue, or drop a star!

casablanque-code / cfzt

cloudflare tunnel zero trust UX

zt — Zero Trust tunnel manager

One command to expose a local service through Cloudflare Zero Trust.

zt up grafana 3000
# → https://grafana.yourdomain.com  (ZT-protected, running in 15s)

What it does

zt up <name> <port> automatically:

Creates a Cloudflare Tunnel
Configures ingress rules
Creates a CNAME DNS record
Creates a Zero Trust Access application
Starts cloudflared in the background
Saves state locally

zt down <name> reverses all of the above.

Prerequisites

A domain on Cloudflare
cloudflared installed and in PATH
A Cloudflare API token with the following permissions:
- Account / Cloudflare Tunnel / Edit
- Zone / DNS / Edit
- Account / Access: Apps and Policies / Edit

Creating the API token

Cloudflare dashboard → My Profile → API Tokens → Create Token
Use Custom token, add the permissions above
Set Account Resources → your account
Set Zone Resources → your domain

Install

Option A — go install

go install

…

View on GitHub

DEV Community: Andrew