Quickstart
For those who can't wait to get their hands dirty.
Capture traffic to create audit records
Read traffic live from interface, stop with Ctrl-C (SIGINT):
$ net capture -iface eth0Read traffic from a dump file (supports PCAP or PCAPNG):
$ net capture -read traffic.pcapRead audit records
Read a netcap dumpfile and print to stdout as CSV:
$ net dump -read TCP.ncap.gzShow the available fields for a specific Netcap dump file:
$ net dump -fields -read TCP.ncap.gzPrint only selected fields and output as CSV:
$ net dump -read TCP.ncap.gz -select Timestamp,SrcPort,DstPortSave CSV output to file:
$ net dump -read TCP.ncap.gz -select Timestamp,SrcPort,DstPort > tcp.csvPrint output separated with tabs:
$ net dump -read TPC.ncap.gz -tsvRun with 24 workers and disable gzip compression and buffering:
$ net capture -workers 24 -buf false -comp false -read traffic.pcapngParse pcap and write all data to output directory (will be created if it does not exist):
$ net capture -read traffic.pcap -out traffic_ncapConvert timestamps to UTC:
$ net dump -read TCP.ncap.gz -select Timestamp,SrcPort,Dstport -utcShow Audit Record File Header
To display the header of the supplied audit record file, the -header flag can be used:
$ net capture -read TCP.ncap.gz -header
+----------+---------------------------------------+
| Field | Value |
+----------+---------------------------------------+
| Created | 2018-11-15 04:42:22.411785 +0000 UTC |
| Source | Wednesday-WorkingHours.pcap |
| Version | v0.3.3 |
| Type | NC_TCP |
+----------+---------------------------------------+Print Structured Audit Records
Audit records can be printed structured, this makes use of the proto.MarshalTextString() function. This is sometimes useful for debugging, but very verbose.
$ net dump -read TCP.ncap.gz -struc
...
NC_TCP
Timestamp: "1499255023.848884"
SrcPort: 80
DstPort: 49472
SeqNum: 1959843981
AckNum: 3666268230
DataOffset: 5
ACK: true
Window: 1025
Checksum: 2348
PayloadEntropy: 7.836586993143013
PayloadSize: 1460
...Print as CSV
This is the default behavior. First line contains all field names.
$ net dump -read TCP.ncap.gz
Timestamp,SrcPort,DstPort,SeqNum,AckNum,DataOffset,FIN,SYN,RST,PSH,ACK,URG,...
1499254962.234259,443,49461,1185870107,2940396492,5,false,false,false,true,true,false,...
1499254962.282063,49461,443,2940396492,1185870976,5,false,false,false,false,true,false,...
...Print as Tab Separated Values
To use a tab as separator, the -tsv flag can be supplied:
$ net dump -read TCP.ncap.gz -tsv
Timestamp SrcPort DstPort Length Checksum PayloadEntropy PayloadSize
1499254962.084372 49792 1900 145 34831 5.19616448 137
1499254962.084377 49792 1900 145 34831 5.19616448 137
1499254962.084378 49792 1900 145 34831 5.19616448 137
1499254962.084379 49792 1900 145 34831 5.19616448 137
...Print as Table
The -table flag can be used to print output as a table. Every 100 entries the table is printed to stdout.
$ net dump -read UDP.ncap.gz -table -select Timestamp,SrcPort,DstPort,Length,Checksum
+--------------------+----------+----------+---------+-----------+
| Timestamp | SrcPort | DstPort | Length | Checksum |
+--------------------+----------+----------+---------+-----------+
| 1499255691.722212 | 62109 | 53 | 43 | 38025 |
| 1499255691.722216 | 62109 | 53 | 43 | 38025 |
| 1499255691.722363 | 53 | 62109 | 59 | 37492 |
| 1499255691.722366 | 53 | 62109 | 59 | 37492 |
| 1499255691.723146 | 56977 | 53 | 43 | 7337 |
| 1499255691.723149 | 56977 | 53 | 43 | 7337 |
| 1499255691.723283 | 53 | 56977 | 59 | 6804 |
| 1499255691.723286 | 53 | 56977 | 59 | 6804 |
| 1499255691.723531 | 63427 | 53 | 43 | 17441 |
| 1499255691.723534 | 63427 | 53 | 43 | 17441 |
| 1499255691.723682 | 53 | 63427 | 87 | 14671 |
...Print with Custom Separator
Output can also be generated with a custom separator:
$ net dump -read TCP.ncap.gz -sep ";"
Timestamp;SrcPort;DstPort;Length;Checksum;PayloadEntropy;PayloadSize
1499254962.084372;49792;1900;145;34831;5.19616448;137
1499254962.084377;49792;1900;145;34831;5.19616448;137
1499254962.084378;49792;1900;145;34831;5.19616448;137
...Validate generated CSV output
To ensure values in the generated CSV would not contain the separator string, the -check flag can be used.
This will determine the expected number of separators for the audit record type, and print all lines to stdout that do not have the expected number of separator symbols. The separator symbol will be colored red with ansi escape sequences and each line is followed by the number of separators in red color.
The -sep flag can be used to specify a custom separator.
$ net util -read TCP.ncap.gz -check
$ net util -read TCP.ncap.gz -check -sep=";"Last updated