Skip to content

@dreadl0ck dreadl0ck released this May 8, 2019 · 0 commits to master since this release


This release will be presented at HITB 2019 on Friday! Stay tuned.

f9cb382 GitBook: [master] 10 pages and 6 assets modified
f0a60b9 GitBook: [master] 12 pages and one asset modified
232ecd0 GitBook: [master] 13 pages and 25 assets modified
dc9509e GitBook: [master] 17 pages modified
8979d79 GitBook: [master] 2 pages modified
3b42f2d GitBook: [master] 2 pages modified
7ffe02c GitBook: [master] 3 pages modified
299734c GitBook: [master] 5 pages and one asset modified
ed60793 GitBook: [master] 8 pages and one asset modified
db654f0 GitBook: [master] 9 pages and 3 assets modified
3b8a0ff GitBook: [master] one page modified
3bcba97 Merge branch 'master' of
a8708c0 Merge branch 'master' of
6bbb8d6 Merge branch 'master' of
ff898ea Merge branch 'master' of
80d6bee Merge branch 'master' of
0fbf912 Merge branch 'master' of
9b58e51 Merge branch 'master' of
984134f added -version flag to all commandline tools
be4920b added build-docker-alpine zeus command to build and push the netcap docker container to dockerhub
bd9d4d1 added comment to http audit record enhanced fields
f5b9950 added exmaple config for proxy
679bb02 added flags to exporter
2f40074 added gen-proto-release to generate protobuf type defs for: python,java,swift,rust,cpp,csharp,js
1eb9cb8 added gitbook config file
6471986 added metrics to collector and a new flag to free OS memory in a specified interval if desired
461e3e8 added net.util
3828193 added new HTTP fields
8e67a07 added notes on decoding protobuf data
7eb4b36 added optional payloads for modbusTCP
76935fb added static-analyze command
ca6d984 added stats for custom decoders
cccae06 added zap logging package
36e9e62 added zeus command to compile net.util
3a797fa bootstrapped netcap HTTP reverse proxy: net.proxy
3c519e8 bootstrapped whats new section
c2d8490 bootstrapping prometheus metrics
ef6acf2 cleanup
237c05e cleanup
9261ff0 cleanup
7225d7f cleanup and comments
0d0e065 commandline tools and documentation updates
736f8db deleted old files
0ca0a25 deleted old python experiments
bd8d585 disabled capture of LinkFlow, NetworkFlow and TransportFlow by default, since these are represented in the regular Flow model
06fc5e7 emitting encoder and field overview as markdown
ee2869e encoder: added support for exporting metrics live
08ebf4f extracted netcap.Writer and bumped version to 0.4.0
bbe9c11 fix: SIP incorrect CSV header values
8e42983 fixed audit record graphic being displayed incorrectly in some browsers
3fe65e2 golangci-lint feedback: error handling and code simplifications
0276662 graffle update
c078c23 implemented interface for dumping as JSON on all audit record types
03fb8db improved error messages and discarding errors when cleaning up suricata logfiles for netlabel tool
2c9d96f metrics testing, exporting connections and flows, fixed flushing configuration via flags
b3ef499 more metrics
530b524 moved graphis folder into docs
286b907 moved printing logo to main utils
fb87d1a moved pynetcap into separate git repository
b925b98 net.export: added option to export all dumps in a directory, added flag for replaying the packets with the delay they were captured
1ad4b14 net.export: improved replay functionality
a31c8f6 netlabel: add support for parsing IPv6 addresses from suricata logs
664eede netlabel: added -suricata-config flag to specify the path to the suricata config file
0afa05c netlabel: error handling and debug mode
e43bfb2 preparations for prometheus metrics
1dde6f8 preparing for 0.4 release
495d0e2 printing usage examples when no args given to net.cap
454ee76 progress on metrics
ab8b6a1 prometheus metrics: finished implementing Inc() Method for AuditRecord interface on all type defs
1509590 proxy: add target url to created audit record file
0ccbae6 pynetcap: added support for reading audit records into a pandas dataframe in python
11bd1ba readme fix
44f740c readme fixes
d216e43 readme update
937aeaa readme wording update
dadc6d4 readme wording update 2
976c24f refactored func for serving metrics
b9f1efd regenerated proto type defs
2dd77c5 removed debugs
f112258 removed dist folder from git tracking, releases are available via github
97011c7 removed gitbook files
7608c9f renamed types.CSV interface to types.AuditRecord
cb8496b restored readme
ce34d9a restructured command line tools and updated build configuration
e777c51 restructured commandline tools
9b49bc7 restructured commandline tools
50c8ca0 syscall.Statfs not available on windows
f6c55b1 testing and fixes
23f4e29 update README graphic paths
42bcf44 updated HTTP audit records generated by net.proxy
ed4898d updated cloc command
03939de updated cloc command to exclude generated protobuf defs for recently added languages
b7372e0 updated docs, added cheatsheet and overview
9335af1 updated ethernet, ip, udp and tcp metrics to expose payload entropy and size as histograms
fbe02b6 updated gen-proto command to move python output to new repository
2499b1d updated gitignore
7350e57 updated http proxy
2d5eb8a updated metrics for flows and connections
2c2d535 updated metrics to skip timestamp
a215c56 updated net.dump README and usage examples
97cca5f updated net.export README and usage examples
ef6cc0c updated net.label README and usage examples
a1af848 updated net.proxy README and usage examples
f70e354 updated net.util README and usage examples
d0a3a8a updated release config
55f96e6 updated release config
2b41f6e updated version bump command

Assets 6

@dreadl0ck dreadl0ck released this Jan 17, 2019 · 106 commits to master since this release



Many new protocols have been added since the initial release in December 2018,
including: OSPF, GRE, IPSec, USB, Geneve, VXLAN, LCM, ModbusTCP, MPLS, BFD, EAP, VRRPv2, CiscoDiscovery and more.

Protobuf serialization performance

Since version 0.3.9 proto serialization is much faster,
thanks to a different code generator that generates more efficient code for packing and unpacking the protocol buffers in golang.

with golang code generator:

$ go test -bench=. -v ./types
=== RUN   TestMarshal
--- PASS: TestMarshal (0.00s)
goos: darwin
goarch: amd64
BenchmarkMarshal-12      	10000000	       184 ns/op	      64 B/op	       1 allocs/op
BenchmarkUnmarshal-12    	10000000	       160 ns/op	      40 B/op	       2 allocs/op
ok	3.830s

with gogo code generator:

$ go test -bench=. -v ./types
=== RUN   TestMarshal
--- PASS: TestMarshal (0.00s)
goos: darwin
goarch: amd64
BenchmarkMarshal-12      	20000000	        89.1 ns/op	      64 B/op	       1 allocs/op
BenchmarkUnmarshal-12    	20000000	       110 ns/op	      40 B/op	       2 allocs/op
ok	4.215s

However, for this to work, the fields named Size on several audit records structures had to be renamed, because the new code generator generates a function named Size() on each protocol buffer.

This breaks backwards compatibility to audit records created with version v0.3.8.
Use the -header flag to check which version was used to create the .ncap dumpfile.
The new field name is TotalSize.

Payload capture

It is now possible to capture payload data for the following protocols: TCP, UDP, ModbusTCP, USB

This can be enabled with the -payload flag:

netcap -r traffic.pcap -payload

USB decoding

USB live capture is now possible, currently the following Audit Records exist: USB and USBRequestBlockSetup.

To capture USB traffic live on macOS, install wireshark and bring up the USB interface:

sudo ifconfig XHC20 up

Now attach netcap and set baselayer to USB:

netcap -iface XHC20 -base usb

To read offline USB traffic from a PCAP file use:

netcap -r usb.pcap -base usb

Configurable separators for CSV structures

The separator characters for structs in CSV output mode are now configurable via commandline flags.

Default is '(' for opening, '-' as separator for values and ')' for closing.

type Message struct {
    string Text
    bool   Secret
    int    MagicNumber

would appear in CSV like:


with the concrete field values:


Configurable gopacket.DecodeOptions

Gopackets DecodeOptions are now configurable via commandline, three options exist:

  • lazy (gopacket.Lazy)
  • default (gopacket.Default)
  • nocopy (gopacket.NoCopy)

By default, netcap uses the the lazy decoding option.

81144a8 LayerEncoders map contains now an array of encoders, to suport multiple encoders for the same layer type
ecbd0ad Merge branch 'master' of
9f1919d Merge pull request #10 from glaslos/mod_lint_clean
5725bf9 OSPF fixes, added handleRawPacketData func
14b5b15 README update
0f175a6 add gopacket.NoCopy to decoding options
0313df1 added ContainsPayloads field to Header and Batch structs
21edc65 added NortelDiscovery to layerEncoders
61390da added OSPF LSA data to audit records
c232065 added flags for BaseLayer and DecodeOptions
abb2158 added gogo proto gode generator for faster protobuf serialization, renamed Size field from several audit records to TotalSize to resolve conflict with generated Size() func
7557ad7 added mac, windows and linux binary releases for all framework components
34c23db added new protocols and source code stats to readme
655a29f added payload flag to preserve payloads for TCP, UDP and USB packets
e013aa5 adjusted logo height
efac59f change sep to dash for better readability
8923641 collector cleanup and comments
9290320 collector cleanup and formatting
90fbb77 fix missing layer encoders
778118a fixed LayerType of BFD
1ab319c fixed build tags for linux
c29bf0b handle error returned by CollectLive
5d7c91a implemented encoding OSPFv2 content section
b0f689c implemented merged LayerEncoders to deal with protocols with multiple versions but one gopacket.LayerType (such as OSPF), LSA type definitions, GRE hotfix, LLDI unified string format
e5e0b5f implemented suport for NortelDiscovery
bbb8885 implemented support for CiscoDiscovery protocol
f90198a implemented support for USBRequestBlockSetup
3411f38 join func leftovers
819b045 logo update
9f1ef6b logo update
343e871 logo update
a4d03ee logo update
88fe7ae logo update
7a655d4 logo update
164bb64 made CSV separator symbols configurable for any runmode
708d96c made structure separators in CSV configurable via commandline
33cedce mod support, cleanup and linting
53ee0ab panic if conversion to CSV fails
e2419b4 remove spaces from copying TeX
ea57de3 removed 1 second sleep after printing CSV header
dbf7029 renamed invalidProto func to invalidEncoder
582d271 replaced strings.Join usage with join func
fdc3c3d strings.Join leftovers
e1b4f7c updated README
d57d265 updated commands.yml and TODOs
dd1d330 updated logo
9990442 version bump to v0.3.9

Assets 6

@dreadl0ck dreadl0ck released this Jan 5, 2019 · 154 commits to master since this release


ecff680 added script to run docker container and extract compiled binary
5b0faee added notes on cross compilation for linux
4ebacd1 added v0.3.7 dist folder
e888edc added windows build tag to collector
af2438c bootstrapped docker container for compiling linux release
ad1dc0d deleted binary release files
2095ebc generated dist
383b098 implemented support for EAPOL and EAPOLKey
8999c33 refactored encoder package level init because the syscall for detemining block size is not available on windows
3bd6d26 use not windows build tag to allow compilation on macOS

Assets 5

@dreadl0ck dreadl0ck released this Dec 31, 2018 · 163 commits to master since this release


724b4c3 Merge branch 'ipsec-support'
7f35c92 VXLAN support
5b8ed13 added basic ipsec support
c55815e added disclaimer to new files
29185bd added dist and readme for v0.3.6
3082acd added geneve to initRecord func
19c2537 added support for geneve protocol
da5ffe4 added support for ipv6 fragments
2b41330 fix layertypes
9067552 implemented BFD encoder
a573aeb implemented LCM encoder
a323bc3 implemented MPLS encoder
41700e8 implemented VRRPv2 encoder
2ffb1e7 implemented modbusTCP encoder
1c653fd implemented ospf v2 and v3 encoders
2d3b720 implemented support for EAP protocol
73253a2 implemented support for FDDI
67dd59e implemented support for GRE protocol
43f7362 implemented support for USB
6a04651 version 0.3.7

Assets 4

@dreadl0ck dreadl0ck released this Dec 27, 2018 · 183 commits to master since this release


f6a89b9 ignore goreleaser config to avoid dirty state err for integration tests

Assets 4
Dec 26, 2018
thesis version
You can’t perform that action at this time.