dreadl0ck / netcap Goto Github PK

Hi，
does v0.6.0 have compiled files, pls?

I tried integrating with windows maltego, changing the path to the net.exe file.
An error occurred parsing the .pcap file:
2023/08/17 16:55:56 os.Args: [netcap.exe transform openNetcapFolder handshake-failure.pcap properties.filename=handshake-failure.pcap#property.atts31415237681098=1|null|]
2023/08/17 16:55:56 created open command: cmd [/C start .net]
2023/08/17 16:55:56 vals map[handshake-failure.pcap: openNetcapFolder: properties.filename:handshake-failure.pcap property.atts31415237681098:1|null| transform:]
2023/08/17 16:55:56 command for opening path: cmd
2023/08/17 16:55:58 The system cannot find the file .net.
exit status 1
The system cannot find the file .net. : exit status 1

: input file path property not set
2023/08/17 16:57:40 os.Args: [netcap.exe transform toAuditRecordsUsingDPI handshake-failure.pcap properties.filename=handshake-failure.pcap#property.atts31415237681098=1|null|]
2023/08/17 16:57:40 input file path property not set

Hey Phil,
I've been cross compiling your project for the latest Security Onion version (16.04.5.6).
Netcap seems to work fine, however netlabel doesn't work at all. So far I haven't had time to investigate any further however I thought I'd let you know. Hopefully I'll be back with some useful information soon.

Thanks for your awesome project & BR
Reg1n

hi ,

for go 1.17.1 wrapper for ndpi is generating follwing issue

nDPI_wrapper.go:6: ./nDPI_wrapper_impl.h:3:10: fatal error: 'ndpi/ndpi_main.h' file not found #include <ndpi/ndpi_main.h> ^~~~~~~~~~~~~~~~~~

Hi,

I followed the detailed steps to download Netcap for Kali, but when i punched in "net" in my terminal. I was thrown with "Invalid command:net". May i know what is the cause or there are configuration issues that I have errored.

Error:
┌──(kali㉿kali)-[~/…/src/github.com/dreadl0ck/netcap]
└─$ net 1 ⚙
Invalid command: net

Hello, i encounter error when net.collect modules run after some minutes
any help?

panic: runtime error: index out of range

goroutine 194 [running]:
compress/flate.(*huffmanBitWriter).indexTokens(0xc00011e1e0, 0xc0009d0000, 0x4001, 0x4001, 0xc00006bc58, 0x4db6d5)
/usr/local/go/src/compress/flate/huffman_bit_writer.go:551 +0x2d8
compress/flate.(*huffmanBitWriter).writeBlock(0xc00011e1e0, 0xc0009d0000, 0x4001, 0x4001, 0x6e00, 0xc0009c6de1, 0x8949, 0x921f)
/usr/local/go/src/compress/flate/huffman_bit_writer.go:440 +0xa1
compress/flate.(*compressor).writeBlock(0xc00091e000, 0xc0009d0000, 0x4000, 0x4001, 0xf72a, 0x19, 0x6ef0)
/usr/local/go/src/compress/flate/deflate.go:170 +0xc2
compress/flate.(*compressor).deflate(0xc00091e000)
/usr/local/go/src/compress/flate/deflate.go:493 +0x3be
compress/flate.(*compressor).write(0xc00091e000, 0xc00064225c, 0x2791, 0xda4, 0x2800, 0x5a453e55, 0xc0001d4340)
/usr/local/go/src/compress/flate/deflate.go:551 +0x83
compress/flate.(*Writer).Write(...)
/usr/local/go/src/compress/flate/deflate.go:709
compress/gzip.(*Writer).Write(0xc0004a8630, 0xc000640800, 0x2791, 0x2800, 0xc0001d43e0, 0xc0000ac801, 0xc)
/usr/local/go/src/compress/gzip/gzip.go:196 +0xce
main.udpServer.func1.1(0xc00009d8c0, 0xc0000af9a0)
/go/src/github.com/dreadl0ck/netcap/cmd/collect/main.go:230 +0xb2b
created by main.udpServer.func1
/go/src/github.com/dreadl0ck/netcap/cmd/collect/main.go:167 +0x5b

I have tried many methods, but I have failed to compile all the tools successfully. By modifying the CGO_ENABLED and ldflags parameters, I will prompt pcap related error, but the libpcap-dev package is installed on the host system.

Hello,

Currently i'm trying to install the netcap on a ubuntu system.
current version of ubuntu i'm running:
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"

I've installed Golang using following guide:
https://www.tecmint.com/install-go-in-linux/

After running command:
$ go build -o $GOPATH/bin/netcap -i github.com/dreadl0ck/netcap/cmd/...

I receive the binaries within the directory, as expected:
$GOPATH/bin/netcap/
with the go binaries: agent capture collect dump export label proxy util

After running the shell script:
chmod u+x install-netcap.sh
./install-netcap.sh

I get the following error:
can't load package: package github.com/dreadl0ck/netcap/cmd: no Go files in /home/aaron/go/src/github.com/dreadl0ck/netcap/cmd

I'm unsure of what I did wrong

after build all app
$ net.capture -iface eth0
command not found

Hi,

This project looks great and i'm really interested in the maltego transform but for the life of me I can't install it.

• Version 5.2 doesn't seem to exist on GitHub
• The Maltego transform for version 5.2 doesn't work with the latest build - no GetDevices transform
• On Windows there are loads of fixed references to /usr/local/bin so whilst it looks like it the binary should work it doesn't
• On Linux the commands for building the package don't work with the latest version of Go
• The commands on the documentation site for building don't work for me

I'd really like to help out on this but the barrier to entry is quite high at the moment.

The Zeus build system link leads to a 404 page

Is there currently a method to reference correlated events across log output files? I know zeek adds a UID field to correlate events across various files, is there a similar method with NetCap to do the same thing?

I'm creating a package for this to push to the Arch Linux AUR, and I was wondering what your thoughts were on renaming the netcap binary to something that won't conflict with the libcap-ng library:

➜ pacman -Qo `which netcap`
/usr/bin/netcap is owned by libcap-ng 0.7.9-1

Perhaps something like netcapper or gonetcap?

Thoughts?

Thanks!

@dreadl0ck
What version of Netcap, which OS, which version of OS did you use?
v0.6.11, Kali Linux 2023.4

What did you want to do?
Use Maltego with netcap

What happened instead?
I followed https://docs.netcap.io/installation/kali-linux and even repeated steps. I configured from source so initially used /home/kali/go/src/github.com/dreadl0ck/netcap/maltego/netcap.mtz. Had issues so downloaded the lateest netcap.mtz from https://github.com/dreadl0ck/netcap/raw/master/maltego/netcap.mtz into the directory. Configured the file type matcher preference and deselected 'use regex converter'. Manually imported my pcap, ran To Audit Records [NETCAP] and got an error. A set3.pcap.net directory was made with all the files in it but it would not populate in Maltego.

What output did you get?
Maltego transform output is
[12/28/23, 12:48 AM] INFO Transform To Audit Records [NETCAP] done (from entity "set3.pcap") [12/28/23, 12:50 AM] INFO Running transform To Audit Records [NETCAP] on 1 entities (from entity "set3") [12/28/23, 12:50 AM] ERROR ParseError at [row,col]:[1,1] Message: Content is not allowed in prolog (from entity "set3") [12/28/23, 12:50 AM] WARNING Transform To Audit Records [NETCAP] returned with an error: ParseError at [row,col]:[1,1] Message: Content is not allowed in prolog (from entity "set3") [12/28/23, 12:50 AM] INFO Transform To Audit Records [NETCAP] done (from entity "set3")

I have executed ssh-brute-force attack against my victim linux host, and it pops up in suricata's
fast.log, but after all, label command on my trace file shows nothing (even fast.log copied by label command is empty..)

fast.log:
09/20/2019-10:27:18.123609 [] [1:2001219:20] ET SCAN Potential SSH Scan [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.xx.xx.xx:44552 -> 192.xx.xx.xx:22
09/20/2019-10:27:20.198623 [] [1:10000001:1] Possible SSH brute forcing! [] [Classification: An attempted login using a suspicious username was detected] [Priority: 2] {TCP} 172.xx.xx.xx:44560 -> 192.xx.xx.xx:22

labeling:
label -debug -r ../../sshbrute-attack.pcap
checking log dir: ../../sshbrute-attack
removing suricata logfiles from previous runs
scanning ../../sshbrute-attack.pcap with suricata...
done. reading logs from ../../sshbrute-attack/fast.log
parsing suricata fast.log
0 alerts ignored in labelMap
no labels found.

Could you please help, what I am missing?

Cross compiling from macOS to linux and windows fails for me, due to gopackets libpcap bindings.
Maybe @notti can help?

Compile for Windows:

# install compiler toolchain and libpcap headers
$ brew install mingw-w64
$ brew install libpcap

$ GOOS=windows GOARCH=amd64 CC=x86_64-w64-mingw32-gcc CGO_ENABLED=1 CGO_CFLAGS="-I/usr/local/opt/libpcap/include" go build -o netcap-windows -i github.com/dreadl0ck/netcap/cmd
# github.com/google/gopacket/pcap
/usr/local/Cellar/mingw-w64/5.0.4_1/toolchain-x86_64/bin/x86_64-w64-mingw32-ld: cannot find -lwpcap
collect2: error: ld returned 1 exit status

Compile for Linux:

$ GOOS=linux GOARCH=amd64 CGO_ENABLED=1 go build -o netcap-linux -i github.com/dreadl0ck/netcap/cmd
# github.com/dreadl0ck/netcap/cmd
/usr/local/Cellar/go/1.11.4/libexec/pkg/tool/darwin_amd64/link: running clang failed: exit status 1
ld: warning: ignoring file /var/folders/3n/1r2xxfv55d35jxh33rklbzm80000gn/T/go-link-877356077/go.o, file was built for unsupported file format ( 0x7F 0x45 0x4C 0x46 0x02 0x01 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 ) which is not the architecture being linked (x86_64): /var/folders/3n/1r2xxfv55d35jxh33rklbzm80000gn/T/go-link-877356077/go.o
Undefined symbols for architecture x86_64:
"__cgo_topofstack", referenced from:
    __cgo_f163a891a53f_Cfunc_calloc in 000001.o
    __cgo_f163a891a53f_Cfunc_pcap_activate in 000001.o
    __cgo_f163a891a53f_Cfunc_pcap_can_set_rfmon in 000001.o
    __cgo_f163a891a53f_Cfunc_pcap_compile in 000001.o
    __cgo_f163a891a53f_Cfunc_pcap_create in 000001.o
    __cgo_f163a891a53f_Cfunc_pcap_datalink in 000001.o
    __cgo_f163a891a53f_Cfunc_pcap_datalink_name_to_val in 000001.o
    ...
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)

Description:

When installing netcap on an Ubuntu18 setup on VisualStucio code I get the following error:

github.com/dreadl0ck/netcap/encoder
go/src/github.com/dreadl0ck/netcap/encoder/tls.go:51:17: hello.Unmarshall undefined (type tlsx.ClientHello has no field or method Unmarshall)
go/src/github.com/dreadl0ck/netcap/encoder/tls.go:55:3: use of untyped nil
go/src/github.com/dreadl0ck/netcap/encoder/tls.go:131:37: cannot use hello (type *tlsx.ClientHello) as type *tlsx.ClientHelloBasic in argument to ja3.DigestHex

Do I need to install some additionl package on Linux or is there a specific verison that I should use?

A nice feature will be decoding protobuf data.