NETCAP
NETCAP
Overview
GitHub
Homepage
GoDoc
Overview
Audit Records
Specification
Installation
Quickstart
Configuration
Bash Completion
Packet Collection
Audit Record Labeling
HTTP Proxy
USB Capture
Payload Capture
Distributed Collection
Workers
Filtering and Export
Data Compression
Internals
Metrics
Resolvers
TLS Fingerprinting
Reassembly
Deep Packet Inspection
Live Capture
Maltego Integration
Logging
Packet Contexts
Industrial Control Systems
File Extraction
Email Extraction
Device Profiles
Python Integration
Changelog
Troubleshooting
Unit Tests
Extension
Downloads
Docker Containers
FAQ
Contributing
License
Powered by GitBook

Metrics

Prometheus Metrics

Introduction

Netcap now supports exporting prometheus metrics about its go runtime, the collection process and the audit records itself. These data points can be used to gain insights about the collection performance or discover security related events.

Prometheus is an open-source systems monitoring and alerting toolkit originally built at SoundCloud. Since its inception in 2012, many companies and organizations have adopted Prometheus, and the project has a very active developer and user community. It is now a standalone open source project and maintained independently of any company.

To visualize the captured data I recomment the open source analytics and monitoring solution Grafana:

This feature can be used with the export tool, which behaves similar to capture but is able to operate on pcaps, audit records and network interfaces.

Configuration

Metrics are served by default on 127.0.0.1:7777/metrics. Configure a prometheus instance to scrape it:

# reference: https://prometheus.io/docs/prometheus/latest/configuration/configuration/
global:
  scrape_interval: 15s
  scrape_timeout: 15s
  #evaluation_interval: 15s
scrape_configs:
  # process_ metrics
  - job_name: netcap
    metrics_path: /metrics
    scheme: http
    static_configs:
      - targets:
        - 127.0.0.1:7777

Tip: The latest prometheus config documentation can be found at: https://prometheus.io/docs/prometheus/latest/configuration/configuration

Run the export tool to capture live from an interface:

net export -iface en0

Tip: Use $ net capture -interfaces to get a list of available interfaces to choose from

Go to http://localhost:9090 or to the port you configured alternatively, to check if your prometheus instance is scraping data correctly. Now that we have some data at hands, lets use Grafana to visualize it!

You can setup Grafana on macOS via brew:

$ brew install grafana

Tip: On macOS, Grafanas default config is at /usr/local/etc/grafana/grafana.ini and installed plugins are stored at /usr/local/opt/grafana/share/grafana/data/plugins.

Start the prometheus server and pass the previously created config:

$ prometheus --config.file prometheus/prometheus.yml

You need to install the pie chart plugin for grafana:

$ cd /usr/local/opt/grafana/share/grafana/data/plugins
$ git clone https://github.com/grafana/piechart-panel.git --branch release-1.4.0

Start the grafana server:

$ grafana-server --homepath /usr/local/opt/grafana/share/grafana

Now download the NETCAP Dashboard and import it into Grafana:

Go to Settings > Datasources and a prometheus datasource, either with the default port 9090 or the one you choose in the config.

You should be good to go!

Usage

Export a PCAP dumpfile and serve metrics .

$ net export -read 2017-09-19-traffic-analysis-exercise.pcap

Capture and export traffic live from the named interface:

$ net export -iface en0

Export a specific audit record file:

$ net export -read HTTP.ncap.gz

Export all audit record files in the current directory:

$ net export .

Overview Dashboard Preview

Grafana Dashboard Overview

TCP Dashboard Preview

Grafana Dashboard TCP

HTTP Dashboard Preview

Grafana Dashboard HTTP
Previous
Internals
Next
Resolvers
Last updated 1 year ago
Contents
Introduction
Configuration
Usage
Overview Dashboard Preview
TCP Dashboard Preview
HTTP Dashboard Preview