Linux network traffic security audit
I purchased the server from cnaaa.com.
introduce
Netcap (NETwork CAPture) is a command-line based tool for packet data analysis of network traffic that captures the flow of packets in network traffic and converts them into audit records that the system can recognize. The generated audit records can be saved on a separate hard disk, and the results can also be transferred to another server through the network for storage.
Netcap: A Secure and Scalable Network Traffic Analysis Tool
Netcap is very effective at collecting packets through network traffic, packets can be collected from input sources like offline
PCAP-NG
orPCAP
dump files, other packets can be accessed and collected through a real-time interface.
Netcap uses Google's Protocol Buffers to encode its output, which is very convenient to parse. It can also be transmitted in comma-separated CSV format. In order not to let the data in the system take up too much space, Netcap compresses all its data into
gzip
the format _._
Netcap can use the dump tool to view available audit records and
net.dump
then convert the audit records to supported file formats such as CSV and JSON. Log errors caused by malformed packets are recorded in thiserrors.log
section.
Features:
- PCAP and PCAP-NG support
- Supports USB capture
- Allow real-time capture
- CLI command line interface
- Can collect network packets from distributed sources
- Very useful for forensic data analysis
Function:
- net.capture (capture audit records in real time or from a dump file)
- net.dump (dump audit records in various formats)
- net.label (tool for creating labeled CSV datasets from netcap data)
- net.collect (collection server for distributed collection)
- net.agent (sensor agent for distributed collection)
- net.proxy (http reverse proxy for capturing traffic from web services)
- net.util (Utilities for validating audit records and converting timestamps)
- net.export (exporter for prometheus metrics)
supported platforms
Windows, Linux, OS X
Netcap installation
use ** Go Get
_
$ go get -u github.com/dreadl0ck/netcap/...
To install from the command line (using the Development Build), run:
$ go build -o $(go env GOPATH)/bin/netcap -i github.com/dreadl0ck/netcap/cmd
MacOS
usebrew
install
$ brew tap dreadl0ck/formulas
$ brew install netcap
After installing Netcap, execute the following command to check whether all units are running normally:
$ go test -v -bench=. ./...
Netcap uses
/ |
_______ ______ _10 |_ _______ ______ ______
/ / \\ / / \\ / 01/ | / / | / / \\ / / \\
0010100 /|/011010 /|101010/ /0101010/ 001010 |/100110 |
01 | 00 |00 00 | 10 | __ 00 | / 10 |00 | 01 |
10 | 01 |01001010/ 00 |/ |01 \\_____ /0101000 |00 |__10/|
10 | 00 |00/ / | 10 00/ 00/ / |00 00 |00/ 00/
00/ 10/ 0101000/ 0010/ 0010010/ 0010100/ 1010100/
00 |
Network Protocol Analysis Framework 00 |
created by Philipp Mieden, 2018 00/
v5
+---------------+--------+
| Setting | Value |
+---------------+--------+
| Workers | 1000 |
| MemBuffer | true |
| Compression | true |
| PacketBuffer | 100 |
+---------------+--------+
spawned 1000 workers
initialized 29 layer encoders | buffer size: 4096
initialized 7 custom encoders | buffer size: 4096
running since 535785474s, captured 13000 packets…
To see all encoders supported by Netcap, plus parameters, you can use these flags to exclude or include encoders
–encoders
, depending on what you want to do .-exclude
-include
example:
Read traffic from network card:
$ net.capture -iface eth0
- Use Ctrl-C (SIGINT) to stop capturing.
PCAP
Read traffic from andPCAP-NG
dump files:
$ net.capture -r traffic.pcap
Read dump file and print
stdout
ascsv
format
$ net.dump -r TCP.ncap.gz
Save the CSV output to a file:
$ net.dump -r TCP.ncap.gz -select Timestamp,SrcPort,DstPort > tcp.csv
exhibit
You can also display network data in real time through grafana