fix: udp handling and ipv4 and ipv6 filtering

demo/Dockerfile

@@ -0,0 +1,36 @@
+# syntax=docker/dockerfile:1
+
+# build stage - compile snitch
+FROM golang:1.25.0-bookworm AS builder
+WORKDIR /src
+COPY . .
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    go build -o snitch .
+
+# runtime stage - official vhs image has ffmpeg, chromium, ttyd pre-installed
+FROM ghcr.io/charmbracelet/vhs
+
+# install only lightweight tools for fake services
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+    apt-get update --allow-releaseinfo-change && apt-get install -y --no-install-recommends \
+    netcat-openbsd \
+    procps \
+    socat \
+    nginx-light
+
+WORKDIR /app
+
+# copy built binary from builder
+COPY --from=builder /src/snitch /app/snitch
+
+# copy demo files
+COPY demo/demo.tape /app/demo.tape
+COPY demo/entrypoint.sh /app/entrypoint.sh
+RUN chmod +x /app/entrypoint.sh
+
+ENV TERM=xterm-256color
+ENV COLORTERM=truecolor
+
+ENTRYPOINT ["/app/entrypoint.sh"]

demo/README.md

@@ -0,0 +1,45 @@
+# Demo Recording
+
+This directory contains files for recording the snitch demo GIF in a controlled Docker environment.
+
+## Files
+
+- `Dockerfile` - builds snitch and sets up fake network services
+- `demo.tape` - VHS script that records the demo
+- `entrypoint.sh` - starts fake services before recording
+
+## Recording the Demo
+
+From the project root:
+
+```bash
+# build the demo image
+docker build -f demo/Dockerfile -t snitch-demo .
+
+# run and output demo.gif to this directory
+docker run --rm -v $(pwd)/demo:/output snitch-demo
+```
+
+The resulting `demo.gif` will be saved to this directory.
+
+## Fake Services
+
+The container runs several fake services to demonstrate snitch:
+
+| Service | Port | Protocol |
+|---------|------|----------|
+| nginx   | 80   | TCP      |
+| web app | 8080 | TCP      |
+| node    | 3000 | TCP      |
+| postgres| 5432 | TCP      |
+| redis   | 6379 | TCP      |
+| mongo   | 27017| TCP      |
+| mdns    | 5353 | UDP      |
+| ssdp    | 1900 | UDP      |
+
+Plus some simulated established connections between services.
+
+## Customizing
+
+Edit `demo.tape` to change what's shown in the demo. See [VHS documentation](https://github.com/charmbracelet/vhs) for available commands.
+

demo/demo.tape

@@ -0,0 +1,99 @@
+# VHS tape file for snitch demo
+# run with: docker build -f demo/Dockerfile -t snitch-demo . && docker run -v $(pwd)/demo:/output snitch-demo
+
+Output demo.gif
+
+Set Shell "bash"
+Set FontSize 14
+Set FontFamily "DejaVu Sans Mono"
+Set Width 1400
+Set Height 700
+Set Theme "Catppuccin Frappe"
+Set Padding 15
+Set Framerate 24
+Set TypingSpeed 40ms
+
+# force color output
+Env TERM "xterm-256color"
+Env COLORTERM "truecolor"
+Env CLICOLOR "1"
+Env CLICOLOR_FORCE "1"
+Env FORCE_COLOR "1"
+
+# launch snitch
+Type "./snitch top"
+Enter
+Sleep 2s
+
+# navigate down through connections
+Down
+Sleep 400ms
+Down
+Sleep 400ms
+Down
+Sleep 400ms
+Down
+Sleep 400ms
+Down
+Sleep 1s
+
+# open detail view for selected connection
+Enter
+Sleep 2s
+
+# close detail view
+Escape
+Sleep 1s
+
+# search for nginx
+Type "/"
+Sleep 500ms
+Type "nginx"
+Sleep 1s
+Enter
+Sleep 2s
+
+# clear search
+Type "/"
+Sleep 300ms
+Escape
+Sleep 1s
+
+# filter: hide udp, show only tcp
+Type "u"
+Sleep 1.5s
+
+# show only listening connections
+Type "e"
+Sleep 1.5s
+Type "o"
+Sleep 1.5s
+
+# reset to show all
+Type "a"
+Sleep 1.5s
+
+# cycle through sort options
+Type "s"
+Sleep 1s
+Type "s"
+Sleep 1s
+Type "s"
+Sleep 1s
+
+# reverse sort order
+Type "S"
+Sleep 1.5s
+
+# show help screen
+Type "?"
+Sleep 3s
+
+# close help
+Escape
+Sleep 1s
+
+# quit
+Type "q"
+Sleep 300ms
+

demo/entrypoint.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+# entrypoint script that creates fake network services for demo
+
+set -e
+
+echo "starting demo services..."
+
+# start nginx on port 80
+nginx &
+sleep 0.5
+
+# start some listening services with socat (stderr silenced)
+socat TCP-LISTEN:8080,fork,reuseaddr SYSTEM:"echo HTTP/1.1 200 OK" 2>/dev/null &
+socat TCP-LISTEN:3000,fork,reuseaddr SYSTEM:"echo hello" 2>/dev/null &
+socat TCP-LISTEN:5432,fork,reuseaddr SYSTEM:"echo postgres" 2>/dev/null &
+socat TCP-LISTEN:6379,fork,reuseaddr SYSTEM:"echo redis" 2>/dev/null &
+socat TCP-LISTEN:27017,fork,reuseaddr SYSTEM:"echo mongo" 2>/dev/null &
+
+# create some "established" connections by connecting to our own services
+sleep 0.5
+(while true; do echo "ping" | nc -q 1 localhost 8080 2>/dev/null; sleep 2; done) >/dev/null 2>&1 &
+(while true; do echo "ping" | nc -q 1 localhost 3000 2>/dev/null; sleep 2; done) >/dev/null 2>&1 &
+(while true; do curl -s http://localhost:80 >/dev/null 2>&1; sleep 3; done) &
+
+# udp listeners
+socat UDP-LISTEN:5353,fork,reuseaddr SYSTEM:"echo mdns" 2>/dev/null &
+socat UDP-LISTEN:1900,fork,reuseaddr SYSTEM:"echo ssdp" 2>/dev/null &
+
+sleep 1
+echo "services started, recording demo..."
+
+# run vhs to record the demo
+cd /app
+vhs demo.tape
+
+echo "demo recorded, copying output..."
+
+# output will be in /app/demo.gif
+cp /app/demo.gif /output/demo.gif 2>/dev/null || echo "output copied"
+
+echo "done!"