The Netcap (NETwork CAPture) framework efficiently converts a stream of network packets into platform neutral type-safe structured audit records that represent specific protocols or custom abstractions. These audit records can be stored on disk or exchanged over the network, and are well suited as a data source for machine learning algorithms. Since parsing of untrusted input can be dangerous and network data is potentially malicious, implementation was performed in a programming language that provides a garbage collected memory safe runtime. It was developed for a series of experiments in my bachelor thesis: Implementation and evaluation of secure and scalable anomaly-based network intrusion detection. The thesis can be used to as an introduction to the framework, its philosphy and architecture. However, be aware that the command-line interface was refactored heavily and the thesis examples refer to very early versions. Consult the documentation for the latest API and usage examples. Slides from my presentation at the Leibniz Supercomputing Centre of the Bavarian Academy of Sciences and Humanities are available on researchgate

Netcap uses Google’s Protocol Buffers to encode its output, which allows accessing it across a wide range of programming languages. Alternatively, output can be emitted as comma separated values, which is a common input format for data analysis tools and systems. The tool is extensible and provides multiple ways of adding support for new protocols, while implementing the parsing logic in a memory safe way. It provides high dimensional data about observed traffic and allows the researcher to focus on experimenting with novel approaches for detecting malicious behavior in network environments, instead of fiddling with data collection mechanisms and post processing steps. It has a concurrent design that makes use of multi-core architectures. The name Netcap was chosen to be simple and descriptive. The command-line tool was designed with usability and readability in mind, and displays progress when processing packets. The latest version offers 66 audit record types of which 55 are protocol specific and 8 are custom abstractions, such as flows or transferred files.

A list of all supported protocols can be found in the docs.



The source code is available on github.

Precompiled Binaries

There are compiled versions for mac, windows and linux available for those who don’t want to compile from source, as well as docker containers available from the docker registry.

You should download the latest stable release from the github releases page, the master branch might be unstable.

Docker Images

Getting an image from Docker Hub

Docker Hub is the place where open Docker images are stored. Download and run the v0.5 netcap container by typing:

$ docker run -exec -it dreadl0ck/netcap:alpine-v0.5 ash

This will check if this image is available on your computer and since it wasn’t it downloaded the image from Docker Hub. So getting an image from Docker Hub works sort of automatically. If you just want to pull the image but not run it, you can also do:

docker pull dreadl0ck/netcap:{VERSION}


For setup instructions, refer to the installation section in the documentation.

If you have problems during setup, feel free to contact me by mail:

dreadl0ck [at] protonmail [dot] ch


Interested in updates regarding the netcap project? Sign up for the newsletter!