Quickstart
For those who can't wait to get their hands dirty.

Capture traffic to create audit records

Read traffic live from interface, stop with Ctrl-C (SIGINT):
1
$ net capture -iface eth0
Copied!
Read traffic from a dump file (supports PCAP or PCAPNG):
1
$ net capture -read traffic.pcap
Copied!

Read audit records

Read a netcap dumpfile and print to stdout as CSV:
1
$ net dump -read TCP.ncap.gz
Copied!
Show the available fields for a specific Netcap dump file:
1
$ net dump -fields -read TCP.ncap.gz
Copied!
Print only selected fields and output as CSV:
1
$ net dump -read TCP.ncap.gz -select Timestamp,SrcPort,DstPort
Copied!
Save CSV output to file:
1
$ net dump -read TCP.ncap.gz -select Timestamp,SrcPort,DstPort > tcp.csv
Copied!
Print output separated with tabs:
1
$ net dump -read TPC.ncap.gz -tsv
Copied!
Run with 24 workers and disable gzip compression and buffering:
1
$ net capture -workers 24 -buf false -comp false -read traffic.pcapng
Copied!
Parse pcap and write all data to output directory (will be created if it does not exist):
1
$ net capture -read traffic.pcap -out traffic_ncap
Copied!
Convert timestamps to UTC:
1
$ net dump -read TCP.ncap.gz -select Timestamp,SrcPort,Dstport -utc
Copied!

Show Audit Record File Header

To display the header of the supplied audit record file, the -header flag can be used:
1
$ net capture -read TCP.ncap.gz -header
2
3
+----------+---------------------------------------+
4
| Field | Value |
5
+----------+---------------------------------------+
6
| Created | 2018-11-15 04:42:22.411785 +0000 UTC |
7
| Source | Wednesday-WorkingHours.pcap |
8
| Version | v0.3.3 |
9
| Type | NC_TCP |
10
+----------+---------------------------------------+
Copied!

Print Structured Audit Records

Audit records can be printed structured, this makes use of the proto.MarshalTextString() function. This is sometimes useful for debugging, but very verbose.
1
$ net dump -read TCP.ncap.gz -struc
2
...
3
NC_TCP
4
Timestamp: "1499255023.848884"
5
SrcPort: 80
6
DstPort: 49472
7
SeqNum: 1959843981
8
AckNum: 3666268230
9
DataOffset: 5
10
ACK: true
11
Window: 1025
12
Checksum: 2348
13
PayloadEntropy: 7.836586993143013
14
PayloadSize: 1460
15
...
Copied!

Print as CSV

This is the default behavior. First line contains all field names.
1
$ net dump -read TCP.ncap.gz
2
Timestamp,SrcPort,DstPort,SeqNum,AckNum,DataOffset,FIN,SYN,RST,PSH,ACK,URG,...
3
1499254962.234259,443,49461,1185870107,2940396492,5,false,false,false,true,true,false,...
4
1499254962.282063,49461,443,2940396492,1185870976,5,false,false,false,false,true,false,...
5
...
Copied!

Print as Tab Separated Values

To use a tab as separator, the -tsv flag can be supplied:
1
$ net dump -read TCP.ncap.gz -tsv
2
Timestamp SrcPort DstPort Length Checksum PayloadEntropy PayloadSize
3
1499254962.084372 49792 1900 145 34831 5.19616448 137
4
1499254962.084377 49792 1900 145 34831 5.19616448 137
5
1499254962.084378 49792 1900 145 34831 5.19616448 137
6
1499254962.084379 49792 1900 145 34831 5.19616448 137
7
...
Copied!

Print as Table

The -table flag can be used to print output as a table. Every 100 entries the table is printed to stdout.
1
$ net dump -read UDP.ncap.gz -table -select Timestamp,SrcPort,DstPort,Length,Checksum
2
+--------------------+----------+----------+---------+-----------+
3
| Timestamp | SrcPort | DstPort | Length | Checksum |
4
+--------------------+----------+----------+---------+-----------+
5
| 1499255691.722212 | 62109 | 53 | 43 | 38025 |
6
| 1499255691.722216 | 62109 | 53 | 43 | 38025 |
7
| 1499255691.722363 | 53 | 62109 | 59 | 37492 |
8
| 1499255691.722366 | 53 | 62109 | 59 | 37492 |
9
| 1499255691.723146 | 56977 | 53 | 43 | 7337 |
10
| 1499255691.723149 | 56977 | 53 | 43 | 7337 |
11
| 1499255691.723283 | 53 | 56977 | 59 | 6804 |
12
| 1499255691.723286 | 53 | 56977 | 59 | 6804 |
13
| 1499255691.723531 | 63427 | 53 | 43 | 17441 |
14
| 1499255691.723534 | 63427 | 53 | 43 | 17441 |
15
| 1499255691.723682 | 53 | 63427 | 87 | 14671 |
16
...
Copied!

Print with Custom Separator

Output can also be generated with a custom separator:
1
$ net dump -read TCP.ncap.gz -sep ";"
2
Timestamp;SrcPort;DstPort;Length;Checksum;PayloadEntropy;PayloadSize
3
1499254962.084372;49792;1900;145;34831;5.19616448;137
4
1499254962.084377;49792;1900;145;34831;5.19616448;137
5
1499254962.084378;49792;1900;145;34831;5.19616448;137
6
...
Copied!

Validate generated CSV output

To ensure values in the generated CSV would not contain the separator string, the -check flag can be used.
This will determine the expected number of separators for the audit record type, and print all lines to stdout that do not have the expected number of separator symbols. The separator symbol will be colored red with ansi escape sequences and each line is followed by the number of separators in red color.
The -sep flag can be used to specify a custom separator.
1
$ net util -read TCP.ncap.gz -check
2
$ net util -read TCP.ncap.gz -check -sep=";"
Copied!