Quickstart
Read traffic live from interface, stop with Ctrl-C (SIGINT):
$ net.capture -iface eth0
Read traffic from a dump file (supports PCAP or PCAPNG):
$ net.capture -r traffic.pcap
Read a netcap dumpfile and print to stdout as CSV:
$ net.dump -r TCP.ncap.gz
Show the available fields for a specific Netcap dump file:
$ net.dump -fields -r TCP.ncap.gz
Print only selected fields and output as CSV:
$ net.dump -r TCP.ncap.gz -select Timestamp,SrcPort,DstPort
Save CSV output to file:
$ net.dump -r TCP.ncap.gz -select Timestamp,SrcPort,DstPort > tcp.csv
Print output separated with tabs:
$ net.dump -r TPC.ncap.gz -tsv
Run with 24 workers and disable gzip compression and buffering:
$ net.capture -workers 24 -buf false -comp false -r traffic.pcapng
Parse pcap and write all data to output directory (will be created if it does not exist):
$ net.capture -r traffic.pcap -out traffic_ncap
Convert timestamps to UTC:
$ net.dump -r TCP.ncap.gz -select Timestamp,SrcPort,Dstport -utc
To display the header of the supplied audit record file, the -header flag can be used:
$ net.capture -r TCP.ncap.gz -header​+----------+---------------------------------------+| Field | Value |+----------+---------------------------------------+| Created | 2018-11-15 04:42:22.411785 +0000 UTC || Source | Wednesday-WorkingHours.pcap || Version | v0.3.3 || Type | NC_TCP |+----------+---------------------------------------+
Audit records can be printed structured, this makes use of the proto.MarshalTextString() function. This is sometimes useful for debugging, but very verbose.
$ net.dump -r TCP.ncap.gz -struc...NC_TCPTimestamp: "1499255023.848884"SrcPort: 80DstPort: 49472SeqNum: 1959843981AckNum: 3666268230DataOffset: 5ACK: trueWindow: 1025Checksum: 2348PayloadEntropy: 7.836586993143013PayloadSize: 1460...
This is the default behavior. First line contains all field names.
$ net.dump -r TCP.ncap.gzTimestamp,SrcPort,DstPort,SeqNum,AckNum,DataOffset,FIN,SYN,RST,PSH,ACK,URG,...1499254962.234259,443,49461,1185870107,2940396492,5,false,false,false,true,true,false,...1499254962.282063,49461,443,2940396492,1185870976,5,false,false,false,false,true,false,......
To use a tab as separator, the -tsv flag can be supplied:
$ net.dump -r TCP.ncap.gz -tsvTimestamp SrcPort DstPort Length Checksum PayloadEntropy PayloadSize1499254962.084372 49792 1900 145 34831 5.19616448 1371499254962.084377 49792 1900 145 34831 5.19616448 1371499254962.084378 49792 1900 145 34831 5.19616448 1371499254962.084379 49792 1900 145 34831 5.19616448 137...
The -table flag can be used to print output as a table. Every 100 entries the table is printed to stdout.
$ net.dump -r UDP.ncap.gz -table -select Timestamp,SrcPort,DstPort,Length,Checksum+--------------------+----------+----------+---------+-----------+| Timestamp | SrcPort | DstPort | Length | Checksum |+--------------------+----------+----------+---------+-----------+| 1499255691.722212 | 62109 | 53 | 43 | 38025 || 1499255691.722216 | 62109 | 53 | 43 | 38025 || 1499255691.722363 | 53 | 62109 | 59 | 37492 || 1499255691.722366 | 53 | 62109 | 59 | 37492 || 1499255691.723146 | 56977 | 53 | 43 | 7337 || 1499255691.723149 | 56977 | 53 | 43 | 7337 || 1499255691.723283 | 53 | 56977 | 59 | 6804 || 1499255691.723286 | 53 | 56977 | 59 | 6804 || 1499255691.723531 | 63427 | 53 | 43 | 17441 || 1499255691.723534 | 63427 | 53 | 43 | 17441 || 1499255691.723682 | 53 | 63427 | 87 | 14671 |...
Output can also be generated with a custom separator:
$ net.dump -r TCP.ncap.gz -sep ";"Timestamp;SrcPort;DstPort;Length;Checksum;PayloadEntropy;PayloadSize1499254962.084372;49792;1900;145;34831;5.19616448;1371499254962.084377;49792;1900;145;34831;5.19616448;1371499254962.084378;49792;1900;145;34831;5.19616448;137...
​
