README
¶
Netcap (NETwork CAPture) converts network packets into structured, type-safe Protocol Buffer audit records — designed for security monitoring, forensic analysis, and machine learning. A single Go binary with 83 packet decoders, 40+ stream decoders, and 141+ audit record types, backed by a concurrent architecture and a built-in web UI.
Protocol hierarchy visualization in the Netcap web UI — more screenshots
Features
Protocol Analysis
- 83 packet-layer decoders — Ethernet, IPv4/6, TCP, UDP, DNS, DHCP, ARP, TLS ClientHello/ServerHello, ICMP, NTP, SIP, OSPF, BGP, MPLS, GRE, VXLAN, 802.11, and many more
- 40+ stream decoders — TLS, SSH, HTTP/2, QUIC, SMB, FTP, SMTP, POP3, IMAP, IRC, Kerberos, DCERPC, and more
- Industrial protocols — Modbus, S7Comm, DNP3, OPC-UA, PROFINET, BACnet, CIP, IEC 62351
- Full TCP/UDP stream reassembly with configurable limits
Web UI
Built-in React (Vite + TypeScript) dashboard in service mode with interactive visualizations:
- Sankey diagrams, treemaps, 3D scatter plots, geo maps, host communication graphs
- Record browsing with JSON/UI views and field-level filtering
- Protocol statistics, connection analysis, host profiling, alert management
See the Gallery for screenshots.
Security Analysis
- JA4 fingerprinting — JA4, JA4S, JA4H, JA4SSH, JA4X for TLS, HTTP, SSH, and X.509 classification
- YARA rules — file scanning with compiled yara-x rules for malware detection
- Magika AI — Google's AI-based file type classification on extracted files
- Credential harvesting detection — configurable protocol-aware credential capture
- File extraction — extract files from HTTP, FTP, SMTP, POP3, IMAP, SMB, IRC with hashing (MD5, SHA1, SHA256) and MIME detection
- Detection rules — 30+ YAML rule categories covering reconnaissance, exfiltration, web attacks, industrial ports, and more
Output Formats
- Protocol Buffers (default) — compact binary, accessible from any language
- CSV — configurable separators for data analysis pipelines
- JSON — human-readable structured output
- Elasticsearch — direct bulk indexing for ELK stack analysis
Enrichment
- DNS reverse resolution
- GeoIP geolocation (MaxMind)
- MAC vendor lookup
- Deep Packet Inspection (optional, via nDPI/libprotoident)
Integrations
- Prometheus + Grafana — real-time metrics and dashboards
- Elasticsearch + Kibana — full-text search and visualization
- Maltego — 45+ OSINT entity types and transforms
Distributed Capture
Agent/collector architecture for multi-sensor deployments with encrypted communication and configurable collection servers.
Quick Start
Pre-built binaries are available on the Releases page. To build from source:
# Build (requires libpcap)
go build -o net ./cmd/
# Build without DPI (fewer C dependencies)
go build -tags=nodpi -o net ./cmd/
# Capture from PCAP file
./net capture -read traffic.pcap
# Live capture
sudo ./net capture -iface en0
# Service mode (starts web UI)
./net capture -read traffic.pcap --service
# Service mode with hot reload (development)
air
Subcommands
| Command | Description |
|---|---|
capture |
Capture audit records from live interfaces or PCAP files; --service enables the web UI |
dump |
Read and display audit record files in CSV, JSON, or table format |
label |
Apply attack labels to audit records using Suricata or CSV mappings |
collect |
Collection server for receiving data from distributed agents |
agent |
Sensor agent for distributed capture on remote hosts |
proxy |
HTTP/HTTPS reverse proxy with MITM traffic inspection |
export |
Export audit records with Prometheus metrics exposure |
transform |
Maltego OSINT transform plugin |
util |
Utilities: timestamp conversion, interface listing, database generation, search indexing |
inject |
Inline packet manipulation via NFQueue (Linux) |
split |
Split audit record files |
Docker
Pre-built images are available for multiple configurations:
| Image | Description |
|---|---|
| Alpine | Minimal image with full DPI support |
| Alpine (nodpi) | Lightweight, no DPI dependencies |
| Ubuntu | Full-featured Ubuntu-based image |
| Service | Web UI service mode image |
See the docker/ directory for all Dockerfiles and build variants.
Documentation
- Documentation — full usage guide
- Homepage — project homepage
- DeepWiki — AI-powered codebase exploration
- Thesis — original research paper
Contributing
Contributions welcome — from protocol decoder additions to core framework improvements.
Development Setup:
Please use the bug report template for issue reports.
License
Netcap is licensed under the GNU General Public License v3, which is a very permissive open source license, that allows others to do almost anything they want with the project, except to distribute closed source versions. This license type was chosen with Netcap's research purpose in mind, and in the hope that it leads to further improvements and new capabilities contributed by other researchers on the long term.
Documentation
¶
Overview ¶
Package netcap is a framework for network traffic analysis. Learn more at https://netcap.io.
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var Commit = "3febd0df4e6f38cd6df58be474829a7631fd0e28"
Commit is the git commit id of the current version.
View Source
var GopacketVersion = "v1.5.0"
GopacketVersion is the version of gopacket library used.
View Source
var Version = "v0.9.0"
Version is the current version identifier for netcap.
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
analyze
command
|
|
|
inject
Package inject provides the inject subcommand for inline packet manipulation.
|
Package inject provides the inject subcommand for inline packet manipulation. |
|
Package collector provides a mechanism to collect network packets from a network interface on macOS, linux and windows
|
Package collector provides a mechanism to collect network packets from a network interface on macOS, linux and windows |
|
packet
Package packet Package decoder implements decoders to transform network packets into protocol buffers for various protocols
|
Package packet Package decoder implements decoders to transform network packets into protocol buffers for various protocols |
|
stream/network
Package network handles network-layer protocol conversations (ICMP, IGMP, GRE, etc.) that don't have a transport layer.
|
Package network handles network-layer protocol conversations (ICMP, IGMP, GRE, etc.) that don't have a transport layer. |
|
stream/quic
Package quic implements QUIC protocol analysis for both gQUIC and IETF QUIC.
|
Package quic implements QUIC protocol analysis for both gQUIC and IETF QUIC. |
|
Package defaults contains default settings for the netcap core.
|
Package defaults contains default settings for the netcap core. |
|
Package dpi implements an interface for application layer classification via bindings to nDPI and libprotoident
|
Package dpi implements an interface for application layer classification via bindings to nDPI and libprotoident |
|
Package firewall provides iptables integration for automated response actions.
|
Package firewall provides iptables integration for automated response actions. |
|
helpers
module
|
|
|
Package injection provides packet manipulation and injection capabilities for offensive security testing and network research.
|
Package injection provides packet manipulation and injection capabilities for offensive security testing and network research. |
|
internal
|
|
|
archive
Package archive provides utilities for working with compressed archives.
|
Package archive provides utilities for working with compressed archives. |
|
cryptoutils
Package cryptoutils implements cryptographic primitives used by netcap for secure communication between distributed components.
|
Package cryptoutils implements cryptographic primitives used by netcap for secure communication between distributed components. |
|
delimited
Package delimited implements a simple reader and writer for streams of length-delimited byte records.
|
Package delimited implements a simple reader and writer for streams of length-delimited byte records. |
|
env
Package env contains static environment variable names that netcap uses.
|
Package env contains static environment variable names that netcap uses. |
|
helpers
Package helpers provides utilities for testing Netcap components
|
Package helpers provides utilities for testing Netcap components |
|
ja4
Package ja4 implements the JA4+ fingerprinting suite.
|
Package ja4 implements the JA4+ fingerprinting suite. |
|
metrics
Package metrics provides primitives for instrumentation via prometheus
|
Package metrics provides primitives for instrumentation via prometheus |
|
table
Package table provides simple ASCII table rendering for terminal output.
|
Package table provides simple ASCII table rendering for terminal output. |
|
Package io implements IO primitives
|
Package io implements IO primitives |
|
Package label implements mapping alerts from suricata to netcap audit records
|
Package label implements mapping alerts from suricata to netcap audit records |
|
Package magika provides AI-based file type classification using the Google Magika Rust CLI.
|
Package magika provides AI-based file type classification using the Google Magika Rust CLI. |
|
Package reassembly provides TCP stream re-assembly.
|
Package reassembly provides TCP stream re-assembly. |
|
Package resolvers implements primitives to resolve various identifiers against external data
|
Package resolvers implements primitives to resolve various identifiers against external data |
|
Package types Contains the type definitions for the supported network protocols
|
Package types Contains the type definitions for the supported network protocols |
Click to show internal directories.
Click to hide internal directories.