Lots of information is not available on first sight, and we need to combine our data with knowledge from other data sources to make it easier to understand for humans.
Think of resolving ip addresses to geolocations, hardware addreses to manufacturers, domains to ip addresses and vice versa, or simply identifying the service name associated with a given port number. Or consider filtering ip addresses or domain names against a whitelist, to eliminate known legitimate traffic.
The resolvers package provides primitives for such tasks, and if possible, caches results in memory for better performance.
External data sources are stored in a central directory on the system, which defaults to /usr/local/etc/netcap/db but can be overridden using the NC_DATABASE_SOURCE environment variable.
By default, all resolvers are disabled. You need to use the -reverse-dns, -local-dns, -macDB, -ja3DB, -serviceDB and -geoDB to enable what you want to use, or configure it via environment variables or config file, as described in:
You can download a bundled version of all databases except for the MaxMind GeoLite, here:
Reverse DNS lookups can be used to identify the domains associated with an address. By default the standard system resolver will be contacted for this.
Passive / Local DNS
Passive DNS will read the hosts mapping from a file and load it into memory, instead of looking up encountered adresses by contacting a resolver. This can be used to provide names for known hosts in your network for example.
To avoid producing lookups that leave the network, you can generate a hosts mapping based on the DNS traffic in your dumpfile using tshark:
$ tshark -r traffic.pcap -q -z hosts
And provide it to netcaps resolver via a hosts file in the database directory.
To filter known legitimate domains away, the alexa top 1 million can be used for example.
AWS | Alexa Top Sites - Up-to-date lists of the top sites on the web