Netcap consists of several commandline tools:
- net.capture (capture audit records live or from dumpfiles)
- net.dump (dump with audit records in various formats)
- net.label (tool for creating labeled CSV datasets from netcap data)
- net.collect (collection server for distributed collection)
- net.agent (sensor agent for distributed collection)
- net.proxy (http reverse proxy for capturing traffic from web services)
- net.util (utility tool for validating audit records and converting timestamps)
- net.export (exporter for prometheus metrics)
Watch a quick demo of the deep neural network for classification of malicious behavior, on a small PCAP dump file with traffic from the LOKI Bot. First, the PCAP file is parsed with netcap, in order to get audit records that will be labeled afterwards with the netlabel tool. The labeled CSV data for the TCP audit record type is then used for training (75%) and evaluation (25%) of the classification accuracy provided by the deep neural network.
Read more about them in the Documentation.