What is Netcap?
Netcap (NETwork CAPture) is an open-source framework that efficiently converts network packet streams into platform-neutral, type-safe structured audit records. These records represent specific protocols or custom abstractions and are ideal for machine learning, security research, and forensic analysis.
The project won 2nd Place at Kaspersky Labs SecurIT Cup 2018 in Budapest and is actively maintained and developed.
The Problem
Traditional packet capture tools output raw packet data that requires significant post-processing. Security researchers and data scientists spend more time on data collection and transformation than on actual analysis.
The Solution
Netcap bridges this gap by providing structured, high-dimensional data about observed traffic. It allows researchers to focus on experimentation rather than data wrangling.
Key Benefits:
- Memory Safe - Implemented in Go with garbage collection for safe parsing of potentially malicious network data
- Protocol Buffers - Output encoded with Google’s Protocol Buffers for cross-language compatibility
- Concurrent Design - Leverages multi-core architectures for high-performance packet processing
- 66+ Audit Records - Comprehensive coverage of network protocols and custom abstractions
- Cross-Platform - Supports Linux, macOS, and Windows with consistent output formats
- Extensible - Multiple ways to add support for new protocols while maintaining memory safety
- ML Ready - Output formats optimized for machine learning pipelines and data analysis tools
Framework Components
The framework consists of 9 integrated tools compiled into a single binary:
| Tool | Purpose |
|---|---|
capture | Capture audit records live or from PCAP files |
dump | Display audit records in various formats |
label | Create labeled CSV datasets for ML training |
collect | Collection server for distributed deployments |
agent | Sensor agent for distributed collection |
proxy | HTTP reverse proxy for web service traffic |
util | Validate records and convert timestamps |
export | Export Prometheus metrics |
transform | Maltego transformation plugin |
Use Cases
- Monitoring honeypots and detecting intrusions
- Securing medical and industrial IoT devices
- Research on anomaly-based detection mechanisms
- Network forensics and incident response
- Training machine learning models on network data
License
Netcap Core is licensed under the GNU General Public License v3, which is a very permissive open source license that allows others to do almost anything they want with the project, except to distribute closed source versions.
For detailed documentation, visit docs.netcap.io. A complete list of supported protocols is available in the protocol support documentation.
