netcap

package module
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 8, 2019 License: GPL-3.0 Imports: 16 Imported by: 5

README




Go Report Card License Golang Linux macOS windows GoDoc Homepage Documentation

The Netcap (NETwork CAPture) framework efficiently converts a stream of network packets into platform neutral type-safe structured audit records that represent specific protocols or custom abstractions. These audit records can be stored on disk or exchanged over the network, and are well suited as a data source for machine learning algorithms. Since parsing of untrusted input can be dangerous and network data is potentially malicious, implementation was performed in a programming language that provides a garbage collected memory safe runtime.

It was developed for a series of experiments in my bachelor thesis: Implementation and evaluation of secure and scalable anomaly-based network intrusion detection. Slides from my presentation at the Leibniz Supercomputing Centre of the Bavarian Academy of Sciences and Humanities are available on researchgate.

The project won the 2nd Place at Kaspersky Labs SecurIT Cup 2018 in Budapest.

Netcap uses Google's Protocol Buffers to encode its output, which allows accessing it across a wide range of programming languages. Alternatively, output can be emitted as comma separated values, which is a common input format for data analysis tools and systems. The tool is extensible and provides multiple ways of adding support for new protocols, while implementing the parsing logic in a memory safe way. It provides high dimensional data about observed traffic and allows the researcher to focus on experimenting with novel approaches for detecting malicious behavior in network environments, instead of fiddling with data collection mechanisms and post processing steps. It has a concurrent design that makes use of multi-core architectures. The name Netcap was chosen to be simple and descriptive. The command-line tool was designed with usability and readability in mind, and displays progress when processing packets. The latest version offers 58 audit record types of which 53 are protocol specific and 5 are flow models.

For more details please refer to the Documentation, visit the Homepage and read the thesis.

A simple demonstration of generating audit records from a PCAP dump file, querying and displaying the collected information in various ways:

asciicast

And live operation decoding traffic from my wireless network interface, while I am surfing the web:

asciicast

Design Goals

  • memory safety when parsing untrusted input
  • ease of extension
  • output format interoperable with many different programming languages
  • concurrent design
  • output with small storage footprint on disk
  • maximum data availability
  • allow implementation of custom abstractions
  • rich platform and architecture support

Use Cases

  • monitoring honeypots
  • monitoring medical / industrial devices
  • research on anomaly-based detection mechanisms
  • Forensic data analysis

License

Netcap is licensed under the GNU General Public License v3, which is a very permissive open source license, that allows others to do almost anything they want with the project, except to distribute closed source versions. This license type was chosen with Netcaps research purpose in mind, and in the hope that it leads to further improvements and new capabilities contributed by other researchers on the long term.

Documentation

Overview

This file was generated. Do not edit.

Index

Constants

This section is empty.

Variables

View Source 
var (

	// BlockSize is the file system block size
	BlockSize int
)
View Source 
var Version = "v0.4.0"

Netcap version.

Functions

func CloseFile added in v0.4.0 

func CloseFile(outDir string, file *os.File, typ string) (name string, size int64)

CloseFile closes the netcap file handle and removes files that do only contain a header but no audit records

func CloseGzipWriters added in v0.4.0 

func CloseGzipWriters(writers ...*gzip.Writer)

func Count 

func Count(filename string) (count int64)

Count returns the total number of records found in an audit record file

func CreateFile added in v0.4.0 

func CreateFile(name, ext string) *os.File

CreateFile is a wrapper to create new audit record file

func Dump 

func Dump(path string, separator string, tsv bool, structured bool, table bool, selection string, utc bool, fields bool)

Dump reads the specified netcap file and dumps the output according to the configuration to stdout

func FlushWriters added in v0.4.0 

func FlushWriters(writers ...flushableWriter)

func InitRecord 

func InitRecord(typ types.Type) (record proto.Message)

InitRecord initializes a new record of the given type that conforms to the proto.Message interface if netcap is extended with new audit records they need to be added here as well

func NewHeader added in v0.4.0 

func NewHeader(t types.Type, source, version string, includesPayloads bool) *types.Header

NewHeader creates and returns a new netcap audit file header 

func PrintLogo()

PrintLogo prints the netcap logo

func RemoveAuditRecordFileIfEmpty added in v0.4.0 

func RemoveAuditRecordFileIfEmpty(name string) (size int64)

RemoveAuditRecordFileIfEmpty removes the audit record file if it does not contain audit records

Types

type Reader 

type Reader struct {
	// contains filtered or unexported fields
}

Reader implements reading netcap files

func Open 

func Open(file string) (*Reader, error)

Open a file

func (*Reader) Close 

func (r *Reader) Close() error

Close the file

func (*Reader) Next 

func (r *Reader) Next(msg proto.Message) error

Next Message

func (*Reader) ReadHeader 

func (r *Reader) ReadHeader() *types.Header

ReadHeader reads the file header

type Writer added in v0.4.0 

type Writer struct {

	// Name of the associated audit record type
	Name string

	IsChanWriter bool
	// contains filtered or unexported fields
}

Writer supports writing audit records to disk

func NewWriter added in v0.4.0 

func NewWriter(name string, buffer, compress, csv bool, out string, writeChan bool) *Writer

NewWriter initializes and configures a new Writer

func (*Writer) Close added in v0.4.0 

func (w *Writer) Close() (name string, size int64)

func (*Writer) GetChan added in v0.4.0 

func (w *Writer) GetChan() <-chan []byte

func (*Writer) Write added in v0.4.0 

func (w *Writer) Write(msg proto.Message) error

func (*Writer) WriteCSV added in v0.4.0 

func (w *Writer) WriteCSV(msg proto.Message) (int, error)

WriteCSV writes a csv record

func (*Writer) WriteCSVHeader added in v0.4.0 

func (w *Writer) WriteCSVHeader(msg proto.Message) (int, error)

WriteCSVHeader writes a CSV record

func (*Writer) WriteHeader added in v0.4.0 

func (w *Writer) WriteHeader(t types.Type, source string, version string, includesPayloads bool) error

func (*Writer) WriteProto added in v0.4.0 

func (w *Writer) WriteProto(msg proto.Message) error

WriteProto writes a protobuf message

Source Files

View all Source files

Directories

Path Synopsis
cmd
agent command
capture command
collect command
dump command
export command
label command
proxy command
util command
* NETCAP - Traffic Analysis Framework * Copyright (c) 2017 Philipp Mieden <dreadl0ck [at] protonmail [dot] ch> * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS.
 * NETCAP - Traffic Analysis Framework * Copyright (c) 2017 Philipp Mieden <dreadl0ck [at] protonmail [dot] ch> * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS.
helpers module

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.