Framework Components

This section describes each of the commandline tools

net.capture

The capture tool is used to capture audit records, either live from a network interface or from an offline PCAP or PCAP-NG dumpfile.

net.dump

The dump tool is used to view audit records and convert them to JSON or CSV.

net.label

The label tool is used to create labeled CSV datasets from netcap audit records and the input PCAP files used for capturing the audit records. For this, suricata is used to obtain alerts for the PCAP file, which will then be mapped onto the gathered netcap audit records.

net.collect

The collect tool is used to start the collection server for collecting audit records from several sensor agents.

net.agent

The agent tool is used to send encrypted batches of audit records to a netcap collection server.

net.proxy

The proxy tool is used to create one or several HTTP reverse proxies, in order to capture HTTP audit records for webservices.

net.export

The export tool is used to export prometheus metrics about netcap internals, go runtime internals and audit record and expose them on the chosen endpoint.

net.util

The util tool is a general utility for working with netcap audit records.

‚Äč