Framework Components

This section describes each of the commandline tools


The capture tool is used to capture audit records, either live from a network interface or from an offline PCAP or PCAP-NG dumpfile.


The dump tool is used to view audit records and convert them to JSON or CSV.


The label tool is used to create labeled CSV datasets from netcap audit records and the input PCAP files used for capturing the audit records. For this, suricata is used to obtain alerts for the PCAP file, which will then be mapped onto the gathered netcap audit records.


The collect tool is used to start the collection server for collecting audit records from several sensor agents.


The agent tool is used to send encrypted batches of audit records to a netcap collection server.


The proxy tool is used to create one or several HTTP reverse proxies, in order to capture HTTP audit records for webservices.


The export tool is used to export prometheus metrics about netcap internals, go runtime internals and audit record and expose them on the chosen endpoint.


The util tool is a general utility for working with netcap audit records.