Packet Collection
This section focuses on gathering network packet information with netcap
Packets are fetched from an input source (offline dump file or live from an interface) and distributed via round-robin to a pool of workers. Each worker dissects all layers of a packet and writes the generated protobuf audit records to the corresponding file. By default, the data is compressed with gzip to save storage space and buffered to avoid an overhead due to excessive syscalls for writing data to disk.
Packet collection process

Encoders

Encoders take care of converting decoded packet data into protocol buffers for the audit records. Two types of encoders exist: the Layer Encoder, which operates on gopacket layer types, and the Custom Encoder, for which any desired logic can be implemented, including decoding application layer protocols that are not yet supported by gopacket or protocols that require stream reassembly.

Unknown Protocols

Protocols that cannot be decoded will be dumped in the unknown.pcap file for later analysis, as this contains potentially interesting traffic that is not represented in the generated output. Separating everything that could not be understood makes it easy to reveal hidden communication channels, which are based on custom protocols.

Error Log

Errors that happen in the gopacket lib due to malformed packets or implementation errors are written to disk in the errors.log file, and can be checked by the analyst later. Each packet that had a decoding error on at least one layer will be added to the errors.pcap. An entry to the error log has the following format:
1
<UTC Timestamp>
2
Error: <Description>
3
Packet:
4
<full packet hex dump with layer information>
Copied!
At the end of the error log, a summary of all errors and the number of their occurrences will be appended.
1
...
2
<error name>: <number of occurrences>
3
...
Copied!

Inclusion and Exclusion of Encoders

The -encoders flag can be used to list all available encoders. In case not all of them are desired, selective inclusion and exclusion is possible, by using the -include and -exclude flags.
List all encoders:
1
$ net capture -encoders
2
custom: 11
3
+ TLSClientHello
4
+ TLSServerHello
5
+ LinkFlow
6
+ NetworkFlow
7
+ TransportFlow
8
+ HTTP
9
+ Flow
10
+ Connection
11
+ DeviceProfile
12
+ File
13
+ POP3
14
layer: 55
15
+ TCP
16
+ UDP
17
+ IPv4
18
+ IPv6
19
+ DHCPv4
20
+ DHCPv6
21
+ ICMPv4
22
+ ICMPv6
23
+ ICMPv6Echo
24
+ ICMPv6NeighborSolicitation
25
+ ICMPv6RouterSolicitation
26
+ DNS
27
+ ARP
28
+ Ethernet
29
+ Dot1Q
30
+ Dot11
31
+ NTP
32
+ SIP
33
+ IGMP
34
+ LLC
35
+ IPv6HopByHop
36
+ SCTP
37
+ SNAP
38
+ LinkLayerDiscovery
39
+ ICMPv6NeighborAdvertisement
40
+ ICMPv6RouterAdvertisement
41
+ EthernetCTP
42
+ EthernetCTPReply
43
+ LinkLayerDiscoveryInfo
44
+ IPSecAH
45
+ IPSecESP
46
+ Geneve
47
+ IPv6Fragment
48
+ VXLAN
49
+ USB
50
+ LCM
51
+ MPLS
52
+ Modbus
53
+ OSPF
54
+ OSPF
55
+ BFD
56
+ GRE
57
+ FDDI
58
+ EAP
59
+ VRRP
60
+ EAPOL
61
+ EAPOLKey
62
+ CiscoDiscovery
63
+ CiscoDiscoveryInfo
64
+ USBRequestBlockSetup
65
+ NortelDiscovery
66
+ CIP
67
+ Ethernet/IP
68
+ SMTP
69
+ Diameter
70
...
Copied!
Include specific encoders (only those named will be used):
1
$ net capture -read traffic.pcap -include Ethernet,Dot1Q,IPv4,IPv6,TCP,UDP,DNS
Copied!
Exclude encoders (this will prevent decoding of layers encapsulated by the excluded ones):
1
$ net capture -read traffic.pcap -exclude TCP,UDP
Copied!

Applying Berkeley Packet Filters

Netcap will decode all traffic it is exposed to, therefore it might be desired to set a berkeley packet filter, to reduce the workload imposed on Netcap. This is possible for both live and offline operation. In case a BPF should be set for offline use, the gopacket/pcap package with bindings to the libpcap will be used, since setting BPF filters is not yet supported by the native pcapgo package.
When capturing live from an interface:
1
$ net capture -iface en0 -bpf "host 192.168.1.1"
Copied!
When reading offline dump files:
1
$ net capture -read traffic.pcap -bpf "host 192.168.1.1"
Copied!
Last modified 1yr ago