Packet capture
comes to the Mac.
Wireshark is a protocol analyzer written twenty years ago. Tcpdump is a man page. Talon is what I want on my own Mac — native Swift, BPF-backed, with the full Kestrel analysis engine and encrypted pairing to my iPhone.
Live capture, natively.
Berkeley Packet Filter is the same kernel interface tcpdump and Wireshark use. Talon reads from it directly — no libpcap shim, no third-party code.
Interface discovery
Enumerates every network interface via getifaddrs(). IP and link status, auto-detects Wi-Fi, shows loopback when you ask for it.
Read-only BPF
Opens /dev/bpf* with O_RDONLY. Binds the interface, enables immediate delivery and promiscuous mode, includes link-layer headers. Cannot inject packets. Cannot transmit. By construction.
Six-stage pipeline
Open device. Bind interface. Configure. Capture loop on a background queue. Parse each frame through the same pipeline PCAP parsing uses. Batch and dispatch to main thread.
Export to libpcap
Writes a standards-compliant .pcap via NSSavePanel. 24-byte global header with magic 0xA1B2C3D4, version 2.4, link type 1 (Ethernet). Open it in Wireshark. It just works.
Same engines as Kestrel Pro, once shipped.
Talon will share the PCAP parser and analysis code with Kestrel Pro on iOS. Different UI, different platform capabilities, same results — once the engines port is complete.
- Flow builder
- Bidirectional conversations by 5-tuple, direction-aware byte counts
- Host profiler
- Per-IP profile with protocol distribution and service connections
- DNS extractor
- A, AAAA, CNAME, MX, TXT, NS, PTR, SOA, SRV · response codes
- TCP reassembly
- Sequence ordering, retransmission dedup, HTTP transaction detection
- Anomaly detection Planned
- Beaconing, DGA, exfiltration, NXDOMAIN bursts, port scans, five severity levels
- Sensitive-data scanner Planned
- Credentials and API keys as salted SHA-256 fingerprints, raw values never touch disk
- File carver Planned
- Format-aware carving with dual SHA-256/MD5 fingerprints
Your Mac captures. Your phone watches. Planned
Kestrel Link is the planned encrypted local protocol between Talon and Kestrel Sight. Design target: TLS 1.2 with a pre-shared key derived from a six-digit PIN. No accounts. No server. No internet. Not yet implemented on either end — this section describes the intended design.
Pair once.
Design target: enable on Talon → PIN appears → discover on iPhone over Bonjour → enter PIN → both devices derive the same key via HMAC-SHA256. A 32-byte shared secret would live in both Keychains. Future pairings silent.
Stream live.
Design target: packet summaries would batch every 250 ms, up to 500 per batch. Roughly 200 KB/s at a thousand packets per second. Raw payload would remain local until explicitly requested.
Where things stand.
Internal-build milestones. Talon is not yet available to the public and these dates reflect local development progress, not App Store releases. Kestrel Link is a design — its log entry reflects protocol design work, not a working pairing with any shipping iOS app.