reddit hackernews mail facebook facebook linkedin
netcap

netcap

A framework for secure and scalable network traffic analysis.

The Netcap (NETwork CAPture) framework efficiently converts a stream of network packets into platform neutral type-safe structured audit records that represent specific protocols or custom abstractions. These audit records can be stored on disk or exchanged over the network, and are well suited as a data source for machine learning algorithms. Since parsing of untrusted input can be dangerous and network data is potentially malicious, a programming language that provides a garbage collected memory safe runtime is used for the implementation.

Netcap uses Google's Protocol Buffers to encode its output, which allows accessing it across a wide range of programming languages. Alternatively, output can be emitted as comma separated values, which is a common input format for data analysis tools and systems. The tool is extensible and provides multiple ways of adding support for new protocols, while implementing the parsing logic in a memory safe way. It provides high dimensional data about observed traffic and allows the researcher to focus on experimenting with novel approaches for detecting malicious behavior in network environments, instead of fiddling with data collection mechanisms and post processing steps. It has a concurrent design that makes use of multi-core architectures. The name Netcap was chosen to be simple and descriptive. The command-line tool was designed with usability and readability in mind, and displays progress when processing packets. The latest version offers 58 audit record types of which 53 are protocol specific and 5 are flow models.

Design Goals:
- memory safety when parsing untrusted input
- ease of extension
- output format interoperable with many different programming languages
- concurrent design
- output with small storage footprint on disk
- gather everything, separate what can be understood from what can't
- allow implementation of custom abstractions
- rich platform and architecture support

Use Cases:
- monitoring honeypots
- monitoring medical / industrial devices
- research on anomaly-based detection mechanisms
- forensic data analysis

Framework Components:
- capture (capture audit records live or from dumpfiles)
- dump (dump with audit records in various formats)
- label (tool for creating labeled CSV datasets from netcap data)
- collect (collection server for distributed collection)
- agent (sensor agent for distributed collection)
- proxy (http reverse proxy for capturing traffic from web services)
- util (utility tool for validating audit records and converting timestamps)
- export (exporter for prometheus metrics)
- transform (maltego transformation plugin)