Quickstart

For those who can't wait to get their hands dirty.

Capture traffic to create audit records

Read traffic live from interface, stop with Ctrl-C (SIGINT):

$ net capture -iface eth0

Read traffic from a dump file (supports PCAP or PCAPNG):

$ net capture -read traffic.pcap

Read audit records

Read a netcap dumpfile and print to stdout as CSV:

$ net dump -read TCP.ncap.gz

Show the available fields for a specific Netcap dump file:

$ net dump -fields -read TCP.ncap.gz

Print only selected fields and output as CSV:

$ net dump -read TCP.ncap.gz -select Timestamp,SrcPort,DstPort

Save CSV output to file:

$ net dump -read TCP.ncap.gz -select Timestamp,SrcPort,DstPort > tcp.csv

Print output separated with tabs:

$ net dump -read TPC.ncap.gz -tsv

Run with 24 workers and disable gzip compression and buffering:

$ net capture -workers 24 -buf false -comp false -read traffic.pcapng

Parse pcap and write all data to output directory (will be created if it does not exist):

$ net capture -read traffic.pcap -out traffic_ncap

Convert timestamps to UTC:

$ net dump -read TCP.ncap.gz -select Timestamp,SrcPort,Dstport -utc

Show Audit Record File Header

To display the header of the supplied audit record file, the -header flag can be used:

$ net capture -read TCP.ncap.gz -header

+----------+---------------------------------------+
|  Field   |                Value                  |
+----------+---------------------------------------+
| Created  | 2018-11-15 04:42:22.411785 +0000 UTC  |
| Source   | Wednesday-WorkingHours.pcap           |
| Version  | v0.3.3                                |
| Type     | NC_TCP                                |
+----------+---------------------------------------+

Audit records can be printed structured, this makes use of the proto.MarshalTextString() function. This is sometimes useful for debugging, but very verbose.

$ net dump -read TCP.ncap.gz -struc
...
NC_TCP
Timestamp: "1499255023.848884"
SrcPort: 80
DstPort: 49472
SeqNum: 1959843981
AckNum: 3666268230
DataOffset: 5
ACK: true
Window: 1025
Checksum: 2348
PayloadEntropy: 7.836586993143013
PayloadSize: 1460
...

This is the default behavior. First line contains all field names.

$ net dump -read TCP.ncap.gz
Timestamp,SrcPort,DstPort,SeqNum,AckNum,DataOffset,FIN,SYN,RST,PSH,ACK,URG,...
1499254962.234259,443,49461,1185870107,2940396492,5,false,false,false,true,true,false,...
1499254962.282063,49461,443,2940396492,1185870976,5,false,false,false,false,true,false,...
...

To use a tab as separator, the -tsv flag can be supplied:

$ net dump -read TCP.ncap.gz -tsv
Timestamp               SrcPort DstPort Length  Checksum PayloadEntropy  PayloadSize
1499254962.084372       49792   1900    145     34831    5.19616448      137
1499254962.084377       49792   1900    145     34831    5.19616448      137
1499254962.084378       49792   1900    145     34831    5.19616448      137
1499254962.084379       49792   1900    145     34831    5.19616448      137
...

The -table flag can be used to print output as a table. Every 100 entries the table is printed to stdout.

$ net dump -read UDP.ncap.gz -table -select Timestamp,SrcPort,DstPort,Length,Checksum
+--------------------+----------+----------+---------+-----------+
|     Timestamp      | SrcPort  | DstPort  | Length  | Checksum  |
+--------------------+----------+----------+---------+-----------+
| 1499255691.722212  | 62109    | 53       | 43      | 38025     |
| 1499255691.722216  | 62109    | 53       | 43      | 38025     |
| 1499255691.722363  | 53       | 62109    | 59      | 37492     |
| 1499255691.722366  | 53       | 62109    | 59      | 37492     |
| 1499255691.723146  | 56977    | 53       | 43      | 7337      |
| 1499255691.723149  | 56977    | 53       | 43      | 7337      |
| 1499255691.723283  | 53       | 56977    | 59      | 6804      |
| 1499255691.723286  | 53       | 56977    | 59      | 6804      |
| 1499255691.723531  | 63427    | 53       | 43      | 17441     |
| 1499255691.723534  | 63427    | 53       | 43      | 17441     |
| 1499255691.723682  | 53       | 63427    | 87      | 14671     |
...

Output can also be generated with a custom separator:

$ net dump -read TCP.ncap.gz -sep ";"
Timestamp;SrcPort;DstPort;Length;Checksum;PayloadEntropy;PayloadSize
1499254962.084372;49792;1900;145;34831;5.19616448;137
1499254962.084377;49792;1900;145;34831;5.19616448;137
1499254962.084378;49792;1900;145;34831;5.19616448;137
...

Validate generated CSV output

To ensure values in the generated CSV would not contain the separator string, the -check flag can be used.

This will determine the expected number of separators for the audit record type, and print all lines to stdout that do not have the expected number of separator symbols. The separator symbol will be colored red with ansi escape sequences and each line is followed by the number of separators in red color.

The -sep flag can be used to specify a custom separator.

$ net util -read TCP.ncap.gz -check
$ net util -read TCP.ncap.gz -check -sep=";"

Last updated