dreadl0ck / netcap Goto Github PK
View Code? Open in Web Editor NEWA framework for secure and scalable network traffic analysis - https://netcap.io
License: GNU General Public License v3.0
A framework for secure and scalable network traffic analysis - https://netcap.io
License: GNU General Public License v3.0
Hi,
does v0.6.0 have compiled files, pls?
I tried integrating with windows maltego, changing the path to the net.exe file.
An error occurred parsing the .pcap file:
2023/08/17 16:55:56 os.Args: [netcap.exe transform openNetcapFolder handshake-failure.pcap properties.filename=handshake-failure.pcap#property.atts31415237681098=1|null|]
2023/08/17 16:55:56 created open command: cmd [/C start .net]
2023/08/17 16:55:56 vals map[handshake-failure.pcap: openNetcapFolder: properties.filename:handshake-failure.pcap property.atts31415237681098:1|null| transform:]
2023/08/17 16:55:56 command for opening path: cmd
2023/08/17 16:55:58 The system cannot find the file .net.
exit status 1
The system cannot find the file .net.
: exit status 1
: input file path property not set
2023/08/17 16:57:40 os.Args: [netcap.exe transform toAuditRecordsUsingDPI handshake-failure.pcap properties.filename=handshake-failure.pcap#property.atts31415237681098=1|null|]
2023/08/17 16:57:40 input file path property not set
Hey Phil,
I've been cross compiling your project for the latest Security Onion version (16.04.5.6).
Netcap seems to work fine, however netlabel doesn't work at all. So far I haven't had time to investigate any further however I thought I'd let you know. Hopefully I'll be back with some useful information soon.
Thanks for your awesome project & BR
Reg1n
hi ,
for go 1.17.1 wrapper for ndpi is generating follwing issue
nDPI_wrapper.go:6: ./nDPI_wrapper_impl.h:3:10: fatal error: 'ndpi/ndpi_main.h' file not found #include <ndpi/ndpi_main.h> ^~~~~~~~~~~~~~~~~~
Hi,
I followed the detailed steps to download Netcap for Kali, but when i punched in "net" in my terminal. I was thrown with "Invalid command:net". May i know what is the cause or there are configuration issues that I have errored.
Error:
┌──(kali㉿kali)-[~/…/src/github.com/dreadl0ck/netcap]
└─$ net 1 ⚙
Invalid command: net
Hello, i encounter error when net.collect modules run after some minutes
any help?
panic: runtime error: index out of range
goroutine 194 [running]:
compress/flate.(*huffmanBitWriter).indexTokens(0xc00011e1e0, 0xc0009d0000, 0x4001, 0x4001, 0xc00006bc58, 0x4db6d5)
/usr/local/go/src/compress/flate/huffman_bit_writer.go:551 +0x2d8
compress/flate.(*huffmanBitWriter).writeBlock(0xc00011e1e0, 0xc0009d0000, 0x4001, 0x4001, 0x6e00, 0xc0009c6de1, 0x8949, 0x921f)
/usr/local/go/src/compress/flate/huffman_bit_writer.go:440 +0xa1
compress/flate.(*compressor).writeBlock(0xc00091e000, 0xc0009d0000, 0x4000, 0x4001, 0xf72a, 0x19, 0x6ef0)
/usr/local/go/src/compress/flate/deflate.go:170 +0xc2
compress/flate.(*compressor).deflate(0xc00091e000)
/usr/local/go/src/compress/flate/deflate.go:493 +0x3be
compress/flate.(*compressor).write(0xc00091e000, 0xc00064225c, 0x2791, 0xda4, 0x2800, 0x5a453e55, 0xc0001d4340)
/usr/local/go/src/compress/flate/deflate.go:551 +0x83
compress/flate.(*Writer).Write(...)
/usr/local/go/src/compress/flate/deflate.go:709
compress/gzip.(*Writer).Write(0xc0004a8630, 0xc000640800, 0x2791, 0x2800, 0xc0001d43e0, 0xc0000ac801, 0xc)
/usr/local/go/src/compress/gzip/gzip.go:196 +0xce
main.udpServer.func1.1(0xc00009d8c0, 0xc0000af9a0)
/go/src/github.com/dreadl0ck/netcap/cmd/collect/main.go:230 +0xb2b
created by main.udpServer.func1
/go/src/github.com/dreadl0ck/netcap/cmd/collect/main.go:167 +0x5b
I have tried many methods, but I have failed to compile all the tools successfully. By modifying the CGO_ENABLED and ldflags parameters, I will prompt pcap related error, but the libpcap-dev package is installed on the host system.
Hello,
Currently i'm trying to install the netcap on a ubuntu system.
current version of ubuntu i'm running:
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
I've installed Golang using following guide:
https://www.tecmint.com/install-go-in-linux/
After running command:
$ go build -o $GOPATH/bin/netcap -i github.com/dreadl0ck/netcap/cmd/...
I receive the binaries within the directory, as expected:
$GOPATH/bin/netcap/
with the go binaries: agent capture collect dump export label proxy util
After running the shell script:
chmod u+x install-netcap.sh
./install-netcap.sh
I get the following error:
can't load package: package github.com/dreadl0ck/netcap/cmd: no Go files in /home/aaron/go/src/github.com/dreadl0ck/netcap/cmd
I'm unsure of what I did wrong
after build all app
$ net.capture -iface eth0
command not found
Hi,
This project looks great and i'm really interested in the maltego transform but for the life of me I can't install it.
I'd really like to help out on this but the barrier to entry is quite high at the moment.
The Zeus build system link leads to a 404 page
Is there currently a method to reference correlated events across log output files? I know zeek adds a UID field to correlate events across various files, is there a similar method with NetCap to do the same thing?
I'm creating a package for this to push to the Arch Linux AUR, and I was wondering what your thoughts were on renaming the netcap binary to something that won't conflict with the libcap-ng library:
➜ pacman -Qo `which netcap`
/usr/bin/netcap is owned by libcap-ng 0.7.9-1
Perhaps something like netcapper or gonetcap?
Thoughts?
Thanks!
@dreadl0ck
What version of Netcap, which OS, which version of OS did you use?
v0.6.11, Kali Linux 2023.4
What did you want to do?
Use Maltego with netcap
What happened instead?
I followed https://docs.netcap.io/installation/kali-linux and even repeated steps. I configured from source so initially used /home/kali/go/src/github.com/dreadl0ck/netcap/maltego/netcap.mtz. Had issues so downloaded the lateest netcap.mtz from https://github.com/dreadl0ck/netcap/raw/master/maltego/netcap.mtz into the directory. Configured the file type matcher preference and deselected 'use regex converter'. Manually imported my pcap, ran To Audit Records [NETCAP] and got an error. A set3.pcap.net directory was made with all the files in it but it would not populate in Maltego.
What output did you get?
Maltego transform output is
[12/28/23, 12:48 AM] INFO Transform To Audit Records [NETCAP] done (from entity "set3.pcap") [12/28/23, 12:50 AM] INFO Running transform To Audit Records [NETCAP] on 1 entities (from entity "set3") [12/28/23, 12:50 AM] ERROR ParseError at [row,col]:[1,1] Message: Content is not allowed in prolog (from entity "set3") [12/28/23, 12:50 AM] WARNING Transform To Audit Records [NETCAP] returned with an error: ParseError at [row,col]:[1,1] Message: Content is not allowed in prolog (from entity "set3") [12/28/23, 12:50 AM] INFO Transform To Audit Records [NETCAP] done (from entity "set3")
I have executed ssh-brute-force attack against my victim linux host, and it pops up in suricata's
fast.log, but after all, label command on my trace file shows nothing (even fast.log copied by label command is empty..)
fast.log:
09/20/2019-10:27:18.123609 [] [1:2001219:20] ET SCAN Potential SSH Scan [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.xx.xx.xx:44552 -> 192.xx.xx.xx:22
09/20/2019-10:27:20.198623 [] [1:10000001:1] Possible SSH brute forcing! [] [Classification: An attempted login using a suspicious username was detected] [Priority: 2] {TCP} 172.xx.xx.xx:44560 -> 192.xx.xx.xx:22
labeling:
label -debug -r ../../sshbrute-attack.pcap
checking log dir: ../../sshbrute-attack
removing suricata logfiles from previous runs
scanning ../../sshbrute-attack.pcap with suricata...
done. reading logs from ../../sshbrute-attack/fast.log
parsing suricata fast.log
0 alerts ignored in labelMap
no labels found.
Could you please help, what I am missing?
Cross compiling from macOS to linux and windows fails for me, due to gopackets libpcap bindings.
Maybe @notti can help?
Compile for Windows:
# install compiler toolchain and libpcap headers
$ brew install mingw-w64
$ brew install libpcap
$ GOOS=windows GOARCH=amd64 CC=x86_64-w64-mingw32-gcc CGO_ENABLED=1 CGO_CFLAGS="-I/usr/local/opt/libpcap/include" go build -o netcap-windows -i github.com/dreadl0ck/netcap/cmd
# github.com/google/gopacket/pcap
/usr/local/Cellar/mingw-w64/5.0.4_1/toolchain-x86_64/bin/x86_64-w64-mingw32-ld: cannot find -lwpcap
collect2: error: ld returned 1 exit status
Compile for Linux:
$ GOOS=linux GOARCH=amd64 CGO_ENABLED=1 go build -o netcap-linux -i github.com/dreadl0ck/netcap/cmd
# github.com/dreadl0ck/netcap/cmd
/usr/local/Cellar/go/1.11.4/libexec/pkg/tool/darwin_amd64/link: running clang failed: exit status 1
ld: warning: ignoring file /var/folders/3n/1r2xxfv55d35jxh33rklbzm80000gn/T/go-link-877356077/go.o, file was built for unsupported file format ( 0x7F 0x45 0x4C 0x46 0x02 0x01 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 ) which is not the architecture being linked (x86_64): /var/folders/3n/1r2xxfv55d35jxh33rklbzm80000gn/T/go-link-877356077/go.o
Undefined symbols for architecture x86_64:
"__cgo_topofstack", referenced from:
__cgo_f163a891a53f_Cfunc_calloc in 000001.o
__cgo_f163a891a53f_Cfunc_pcap_activate in 000001.o
__cgo_f163a891a53f_Cfunc_pcap_can_set_rfmon in 000001.o
__cgo_f163a891a53f_Cfunc_pcap_compile in 000001.o
__cgo_f163a891a53f_Cfunc_pcap_create in 000001.o
__cgo_f163a891a53f_Cfunc_pcap_datalink in 000001.o
__cgo_f163a891a53f_Cfunc_pcap_datalink_name_to_val in 000001.o
...
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
Description:
When installing netcap on an Ubuntu18 setup on VisualStucio code I get the following error:
github.com/dreadl0ck/netcap/encoder
go/src/github.com/dreadl0ck/netcap/encoder/tls.go:51:17: hello.Unmarshall undefined (type tlsx.ClientHello has no field or method Unmarshall)
go/src/github.com/dreadl0ck/netcap/encoder/tls.go:55:3: use of untyped nil
go/src/github.com/dreadl0ck/netcap/encoder/tls.go:131:37: cannot use hello (type *tlsx.ClientHello) as type *tlsx.ClientHelloBasic in argument to ja3.DigestHex
Do I need to install some additionl package on Linux or is there a specific verison that I should use?
A nice feature will be decoding protobuf data.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.