dreadl0ck / netcap Goto Github PK

A framework for secure and scalable network traffic analysis - https://netcap.io

License: GNU General Public License v3.0

Go 93.54% Shell 1.22% Dockerfile 0.33% Python 4.90%

network security monitoring intrusion detection traffic analysis

netcap's Introduction

The Netcap (NETwork CAPture) framework efficiently converts a stream of network packets into platform neutral type-safe structured audit records that represent specific protocols or custom abstractions. These audit records can be stored on disk or exchanged over the network, and are well suited as a data source for machine learning algorithms. Since parsing of untrusted input can be dangerous and network data is potentially malicious, a programming language that provides a garbage collected memory safe runtime is used for the implementation.

It was developed for a series of experiments in my bachelor thesis: Implementation and evaluation of secure and scalable anomaly-based network intrusion detection. Slides from my presentation at the Leibniz Supercomputing Centre of the Bavarian Academy of Sciences and Humanities are available on researchgate.

The project won the 2nd Place at Kaspersky Labs SecurIT Cup 2018 in Budapest.

Netcap uses Google's Protocol Buffers to encode its output, which allows accessing it across a wide range of programming languages. Alternatively, output can be emitted as comma separated values, which is a common input format for data analysis tools and systems. The tool is extensible and provides multiple ways of adding support for new protocols, while implementing the parsing logic in a memory safe way. It provides high dimensional data about observed traffic and allows the researcher to focus on experimenting with novel approaches for detecting malicious behavior in network environments, instead of fiddling with data collection mechanisms and post processing steps. It has a concurrent design that makes use of multi-core architectures. The name Netcap was chosen to be simple and descriptive. The command-line tool was designed with usability and readability in mind, and displays progress when processing packets. The latest version offers 58 audit record types of which 53 are protocol specific and 5 are flow models.

For more details please refer to the Documentation, visit the Homepage and read the thesis.

A simple demonstration of generating audit records from a PCAP dump file, querying and displaying the collected information in various ways:

And live operation decoding traffic from my wireless network interface, while I am surfing the web:

Design Goals

memory safety when parsing untrusted input
ease of extension
output format interoperable with many different programming languages
concurrent design
output with small storage footprint on disk
gather everything, separate what can be understood from what can't
allow implementation of custom abstractions
rich platform and architecture support

Use Cases

monitoring honeypots
monitoring medical / industrial devices
research on anomaly-based detection mechanisms
forensic data analysis

Framework Components

The framework consists of 9 logically separate tools compiled into a single binary:

capture (capture audit records live or from dumpfiles)
dump (dump with audit records in various formats)
label (tool for creating labeled CSV datasets from netcap data)
collect (collection server for distributed collection)
agent (sensor agent for distributed collection)
proxy (http reverse proxy for capturing traffic from web services)
util (utility tool for validating audit records and converting timestamps)
export (exporter for prometheus metrics)
transform (maltego transformation plugin)

Integrations

Prometheus Metrics

Overview Dashboard example:

HTTP Dashboard example:

You can read more about the Prometheus integration in the docs.

Maltego

Extract DHCP information from local network devices of a PCAP dump file:

HTTP File extraction:

HTTP parameter command injection analysis:

You can read more about the Maltego integration in the docs.

Contributing

Contributions welcome, there's plenty of stuff to do, from simple additions to low level framework engineering!

Please see the Contributing Page for more information.

Bug Reports

If you encounter a bug while using Netcap, please fill out the bugreport template and open a github issue.

License

Netcap is licensed under the GNU General Public License v3, which is a very permissive open source license, that allows others to do almost anything they want with the project, except to distribute closed source versions. This license type was chosen with Netcaps research purpose in mind, and in the hope that it leads to further improvements and new capabilities contributed by other researchers on the long term.

netcap's People

Contributors

Stargazers

Watchers

Forkers

stevemcquaid negbie mumer92 majst01 threatinteltest mewbak hmilkovi sathishdsgithub p3t3rp4rk3r ro9ueadmin attackgithub lookbeat poeblu denonkoo lihuawu koalacxr superdong0 bcperea rdmershon rvaughan ridter mendrugory tonytonyy flatl1neapt spencerx 0xflotus jangocheng abd-elrazek albancrommer zhenchuan gisairo 18nvaz fariin zhangf911 mapbased lulzzz leojavaai ghanima xuacker cycao350 devhttps watsonso insertcod3 awesome-security awesome-golang paulyc devopsbox emuhedo lubyruffy qsdj sh1nu11bi chenkaigithub tonylambiris gravity-protocol xhpx darrynza superf0sh danielrossnagel pingf the-oinkprotocol-labs yy0827 who0sy zycdmax larrycameron80 juranshine triplekill evilsocket isgasho soldie cn0xroot gx14ac benhe119 wha000tif macdaliot isgt93 mav8140 backwardn erlou2 mmillerxyz lxkxc yjxyy sgolang ritianwu get-new jack51706 jsahputra sinofeng blue-infosec doc22940 sporiyano ptyspawn gtsigner showsmall sts0mrg0 msgpo 1computerguy simhaonline jasonhans maxwellsun hxd2000

netcap's Issues

error while trying to install command line tool

Hello,

Currently i'm trying to install the netcap on a ubuntu system.
current version of ubuntu i'm running:
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"

I've installed Golang using following guide:
https://www.tecmint.com/install-go-in-linux/

After running command:
$ go build -o $GOPATH/bin/netcap -i github.com/dreadl0ck/netcap/cmd/...

I receive the binaries within the directory, as expected:
$GOPATH/bin/netcap/
with the go binaries: agent capture collect dump export label proxy util

After running the shell script:
chmod u+x install-netcap.sh
./install-netcap.sh

I get the following error:
can't load package: package github.com/dreadl0ck/netcap/cmd: no Go files in /home/aaron/go/src/github.com/dreadl0ck/netcap/cmd

I'm unsure of what I did wrong

protobuf support

A nice feature will be decoding protobuf data.

"Net" command throws error

Hi,

I followed the detailed steps to download Netcap for Kali, but when i punched in "net" in my terminal. I was thrown with "Invalid command:net". May i know what is the cause or there are configuration issues that I have errored.

Error:
┌──(kali㉿kali)-[~/…/src/github.com/dreadl0ck/netcap]
└─$ net 1 ⚙
Invalid command: net

How can I cross-compile a statically link executables for android platform device?

I have tried many methods, but I have failed to compile all the tools successfully. By modifying the CGO_ENABLED and ldflags parameters, I will prompt pcap related error, but the libpcap-dev package is installed on the host system.

Really hard to install

Hi,

This project looks great and i'm really interested in the maltego transform but for the life of me I can't install it.

Version 5.2 doesn't seem to exist on GitHub
The Maltego transform for version 5.2 doesn't work with the latest build - no GetDevices transform
On Windows there are loads of fixed references to /usr/local/bin so whilst it looks like it the binary should work it doesn't
On Linux the commands for building the package don't work with the latest version of Go
The commands on the documentation site for building don't work for me

I'd really like to help out on this but the barrier to entry is quite high at the moment.

ndpi_main.h

hi ,

for go 1.17.1 wrapper for ndpi is generating follwing issue

nDPI_wrapper.go:6: ./nDPI_wrapper_impl.h:3:10: fatal error: 'ndpi/ndpi_main.h' file not found #include <ndpi/ndpi_main.h> ^~~~~~~~~~~~~~~~~~

Error when installing netcap on Ubuntu18

Description:

When installing netcap on an Ubuntu18 setup on VisualStucio code I get the following error:

github.com/dreadl0ck/netcap/encoder
go/src/github.com/dreadl0ck/netcap/encoder/tls.go:51:17: hello.Unmarshall undefined (type tlsx.ClientHello has no field or method Unmarshall)
go/src/github.com/dreadl0ck/netcap/encoder/tls.go:55:3: use of untyped nil
go/src/github.com/dreadl0ck/netcap/encoder/tls.go:131:37: cannot use hello (type *tlsx.ClientHello) as type *tlsx.ClientHelloBasic in argument to ja3.DigestHex

Do I need to install some additionl package on Linux or is there a specific verison that I should use?

How to integrate with maltego on windows

I tried integrating with windows maltego, changing the path to the net.exe file.
An error occurred parsing the .pcap file:
2023/08/17 16:55:56 os.Args: [netcap.exe transform openNetcapFolder handshake-failure.pcap properties.filename=handshake-failure.pcap#property.atts31415237681098=1|null|]
2023/08/17 16:55:56 created open command: cmd [/C start .net]
2023/08/17 16:55:56 vals map[handshake-failure.pcap: openNetcapFolder: properties.filename:handshake-failure.pcap property.atts31415237681098:1|null| transform:]
2023/08/17 16:55:56 command for opening path: cmd
2023/08/17 16:55:58 The system cannot find the file .net.
exit status 1
The system cannot find the file .net. : exit status 1

: input file path property not set
2023/08/17 16:57:40 os.Args: [netcap.exe transform toAuditRecordsUsingDPI handshake-failure.pcap properties.filename=handshake-failure.pcap#property.atts31415237681098=1|null|]
2023/08/17 16:57:40 input file path property not set

net.collect error after some minutes of running

Hello, i encounter error when net.collect modules run after some minutes
any help?

panic: runtime error: index out of range

goroutine 194 [running]:
compress/flate.(*huffmanBitWriter).indexTokens(0xc00011e1e0, 0xc0009d0000, 0x4001, 0x4001, 0xc00006bc58, 0x4db6d5)
/usr/local/go/src/compress/flate/huffman_bit_writer.go:551 +0x2d8
compress/flate.(*huffmanBitWriter).writeBlock(0xc00011e1e0, 0xc0009d0000, 0x4001, 0x4001, 0x6e00, 0xc0009c6de1, 0x8949, 0x921f)
/usr/local/go/src/compress/flate/huffman_bit_writer.go:440 +0xa1
compress/flate.(*compressor).writeBlock(0xc00091e000, 0xc0009d0000, 0x4000, 0x4001, 0xf72a, 0x19, 0x6ef0)
/usr/local/go/src/compress/flate/deflate.go:170 +0xc2
compress/flate.(*compressor).deflate(0xc00091e000)
/usr/local/go/src/compress/flate/deflate.go:493 +0x3be
compress/flate.(*compressor).write(0xc00091e000, 0xc00064225c, 0x2791, 0xda4, 0x2800, 0x5a453e55, 0xc0001d4340)
/usr/local/go/src/compress/flate/deflate.go:551 +0x83
compress/flate.(*Writer).Write(...)
/usr/local/go/src/compress/flate/deflate.go:709
compress/gzip.(*Writer).Write(0xc0004a8630, 0xc000640800, 0x2791, 0x2800, 0xc0001d43e0, 0xc0000ac801, 0xc)
/usr/local/go/src/compress/gzip/gzip.go:196 +0xce
main.udpServer.func1.1(0xc00009d8c0, 0xc0000af9a0)
/go/src/github.com/dreadl0ck/netcap/cmd/collect/main.go:230 +0xb2b
created by main.udpServer.func1
/go/src/github.com/dreadl0ck/netcap/cmd/collect/main.go:167 +0x5b

labeling not finds any label

I have executed ssh-brute-force attack against my victim linux host, and it pops up in suricata's
fast.log, but after all, label command on my trace file shows nothing (even fast.log copied by label command is empty..)

fast.log:
09/20/2019-10:27:18.123609 [] [1:2001219:20] ET SCAN Potential SSH Scan [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.xx.xx.xx:44552 -> 192.xx.xx.xx:22
09/20/2019-10:27:20.198623 [] [1:10000001:1] Possible SSH brute forcing! [] [Classification: An attempted login using a suspicious username was detected] [Priority: 2] {TCP} 172.xx.xx.xx:44560 -> 192.xx.xx.xx:22

labeling:
label -debug -r ../../sshbrute-attack.pcap
checking log dir: ../../sshbrute-attack
removing suricata logfiles from previous runs
scanning ../../sshbrute-attack.pcap with suricata...
done. reading logs from ../../sshbrute-attack/fast.log
parsing suricata fast.log
0 alerts ignored in labelMap
no labels found.

Could you please help, what I am missing?

Netlabel doesn't work on Security Onion (Linux)

Hey Phil,
I've been cross compiling your project for the latest Security Onion version (16.04.5.6).
Netcap seems to work fine, however netlabel doesn't work at all. So far I haven't had time to investigate any further however I thought I'd let you know. Hopefully I'll be back with some useful information soon.

Thanks for your awesome project & BR
Reg1n

I just want to know where can I get the v0.5 release? I can't find it, really..

Renaming of netcap binary?

I'm creating a package for this to push to the Arch Linux AUR, and I was wondering what your thoughts were on renaming the netcap binary to something that won't conflict with the libcap-ng library:

➜ pacman -Qo `which netcap`
/usr/bin/netcap is owned by libcap-ng 0.7.9-1

Perhaps something like netcapper or gonetcap?

Thoughts?

Thanks!

Zeus link in readme broken

The Zeus build system link leads to a 404 page

Cross compilation on macOS

Cross compiling from macOS to linux and windows fails for me, due to gopackets libpcap bindings.
Maybe @notti can help?

Compile for Windows:

# install compiler toolchain and libpcap headers
$ brew install mingw-w64
$ brew install libpcap

$ GOOS=windows GOARCH=amd64 CC=x86_64-w64-mingw32-gcc CGO_ENABLED=1 CGO_CFLAGS="-I/usr/local/opt/libpcap/include" go build -o netcap-windows -i github.com/dreadl0ck/netcap/cmd
# github.com/google/gopacket/pcap
/usr/local/Cellar/mingw-w64/5.0.4_1/toolchain-x86_64/bin/x86_64-w64-mingw32-ld: cannot find -lwpcap
collect2: error: ld returned 1 exit status

Compile for Linux:

$ GOOS=linux GOARCH=amd64 CGO_ENABLED=1 go build -o netcap-linux -i github.com/dreadl0ck/netcap/cmd
# github.com/dreadl0ck/netcap/cmd
/usr/local/Cellar/go/1.11.4/libexec/pkg/tool/darwin_amd64/link: running clang failed: exit status 1
ld: warning: ignoring file /var/folders/3n/1r2xxfv55d35jxh33rklbzm80000gn/T/go-link-877356077/go.o, file was built for unsupported file format ( 0x7F 0x45 0x4C 0x46 0x02 0x01 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 ) which is not the architecture being linked (x86_64): /var/folders/3n/1r2xxfv55d35jxh33rklbzm80000gn/T/go-link-877356077/go.o
Undefined symbols for architecture x86_64:
"__cgo_topofstack", referenced from:
    __cgo_f163a891a53f_Cfunc_calloc in 000001.o
    __cgo_f163a891a53f_Cfunc_pcap_activate in 000001.o
    __cgo_f163a891a53f_Cfunc_pcap_can_set_rfmon in 000001.o
    __cgo_f163a891a53f_Cfunc_pcap_compile in 000001.o
    __cgo_f163a891a53f_Cfunc_pcap_create in 000001.o
    __cgo_f163a891a53f_Cfunc_pcap_datalink in 000001.o
    __cgo_f163a891a53f_Cfunc_pcap_datalink_name_to_val in 000001.o
    ...
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)

v0.6.0 Compiled versions

Hi，
does v0.6.0 have compiled files, pls?

How to reference events across log files

Is there currently a method to reference correlated events across log output files? I know zeek adds a UID field to correlate events across various files, is there a similar method with NetCap to do the same thing?

Issue with Maltego on Kali

@dreadl0ck
What version of Netcap, which OS, which version of OS did you use?
v0.6.11, Kali Linux 2023.4

What did you want to do?
Use Maltego with netcap

What happened instead?
I followed https://docs.netcap.io/installation/kali-linux and even repeated steps. I configured from source so initially used /home/kali/go/src/github.com/dreadl0ck/netcap/maltego/netcap.mtz. Had issues so downloaded the lateest netcap.mtz from https://github.com/dreadl0ck/netcap/raw/master/maltego/netcap.mtz into the directory. Configured the file type matcher preference and deselected 'use regex converter'. Manually imported my pcap, ran To Audit Records [NETCAP] and got an error. A set3.pcap.net directory was made with all the files in it but it would not populate in Maltego.

What output did you get?
Maltego transform output is
[12/28/23, 12:48 AM] INFO Transform To Audit Records [NETCAP] done (from entity "set3.pcap") [12/28/23, 12:50 AM] INFO Running transform To Audit Records [NETCAP] on 1 entities (from entity "set3") [12/28/23, 12:50 AM] ERROR ParseError at [row,col]:[1,1] Message: Content is not allowed in prolog (from entity "set3") [12/28/23, 12:50 AM] WARNING Transform To Audit Records [NETCAP] returned with an error: ParseError at [row,col]:[1,1] Message: Content is not allowed in prolog (from entity "set3") [12/28/23, 12:50 AM] INFO Transform To Audit Records [NETCAP] done (from entity "set3")

command not found

after build all app
$ net.capture -iface eth0
command not found