netcap
Netcap is a Go-based framework that converts network traffic into structured audit records for security monitoring and forensics. It provides 83 packet decoders, stream reassembly, file extraction, and a web UI—all in a single binary.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | dreadl0ck/netcap |
| Owner | dreadl0ck |
| Primary language | Go |
| License | GPL-3.0 — OSI-approved |
| Stars | 1.8k |
| Forks | 168 |
| Open issues | 4 |
| Latest release | v0.9.0 (2026-04-09) |
| Last updated | 2026-07-01 |
| Source | https://github.com/dreadl0ck/netcap |
What netcap is
Protocol Buffer–based network capture with concurrent architecture supporting 83 packet-layer and 40+ stream decoders, TCP/UDP reassembly, JA4 fingerprinting, YARA rule integration, and optional Hyperscan acceleration. Outputs to protobuf, CSV, JSON, or Elasticsearch.
Get the netcap source
Clone the repository and explore it locally.
git clone https://github.com/dreadl0ck/netcap.gitcd netcap# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Build decisions: choose between full DPI (`go build`), lightweight no-DPI, or Hyperscan-accelerated builds; Hyperscan requires libhs via pkg-config, complicating cross-platform CI/CD.
- Stream reassembly and file extraction can consume significant memory for large pcaps or sustained traffic; configure limits and storage strategy before production deployment.
- JA4 fingerprinting and YARA rules are powerful but require tuning; test detection rules against your traffic baseline to avoid false positives in alert pipelines.
- GPL-3.0 obligation: any derivative distribution must open-source modifications; internal-only use is unrestricted, but external tools wrapping netcap require legal review.
- Web UI (Vite + React) requires Node.js for development; service mode binaries include compiled assets but hot-reload development requires additional toolchain setup.
When to avoid it — and what to weigh
- Closed-Source Commercial Product Required — GPL-3.0 license requires source distribution; cannot be embedded in proprietary closed-source tools without open-sourcing your entire derivative. Requires legal review for commercial use.
- Very High Packet Throughput (>10 Gbps) at Wire Speed — Single-binary architecture and Go concurrency model may not sustain line-rate capture on multi-10G links without optimization; consider dedicated hardware (suricata) or kernel-space alternatives for extreme throughput.
- Windows-Native Deployment Only — While Windows is supported, primary development and production use is Linux/macOS; Windows support stability and performance not clearly documented.
- Zero Configuration / Plug-and-Play Expectation — Requires non-trivial setup: libpcap/libhs compilation, protocol decoder selection, rule authoring, and optional DPI/Hyperscan tuning; not suitable for no-code appliance deployments.
License & commercial use
GPL-3.0 (GNU General Public License v3.0). Permissive for modifications and redistribution *if source is provided*. Internal/research use unrestricted. Derivative works must remain GPL-3.0 compatible.
Internal commercial use (monitoring your own infrastructure) is allowed. Requires legal review before: (1) bundling into proprietary products, (2) offering as managed SaaS, or (3) distributing modified versions. GPL-3.0 copyleft obligation applies to redistributed code. Recommend consulting your legal counsel.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Netcap processes untrusted network data; consider input validation of malformed packets and DOS vectors (reassembly DoS from crafted TCP streams). Run as non-root where possible; file extraction and credential harvesting features should be gated by policy. No explicit security audit or fuzzing data provided. Protobuf schema minimizes deserialization vulns vs. JSON. Optional YARA integration assumes rule integrity; validate rule sources.
Alternatives to consider
Suricata (suricata-io/suricata)
LGPL-licensed, C-based, optimized for >10 Gbps IDS/IPS use; stronger protocol coverage and mature deployment. Trade-off: less flexible audit schema, harder to extend programmatically.
Zeek (zeek/zeek)
BSD-licensed, domain-specific language for traffic analysis, excellent protocol scripting, Elastic integration, mature. Trade-off: steeper learning curve, larger memory footprint, custom language vs. Go.
Arkime (arkime/arkime)
SSPL (Server Side Public License), full-stack capture + search + UI; tightly integrated Elasticsearch. Trade-off: SSPL restrictions on SaaS offerings, requires multi-node ES cluster.
Build on netcap with DEV.co software developers
Netcap excels in forensics, continuous monitoring, and distributed sensor deployments. Evaluate GPL-3.0 licensing constraints, compile with appropriate DPI/Hyperscan flags, and pilot with detection rules tuned to your baseline.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
netcap FAQ
Can I use Netcap in a commercial product?
What's the performance impact of DPI, Hyperscan, and YARA rules?
Does Netcap replace my IDS/IPS?
How do I deploy this at scale?
Software developers & web developers for hire
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If netcap is part of your open-source observability roadmap, our team can implement, customize, migrate, and maintain it.
Ready to Deploy Netcap for Network Security?
Netcap excels in forensics, continuous monitoring, and distributed sensor deployments. Evaluate GPL-3.0 licensing constraints, compile with appropriate DPI/Hyperscan flags, and pilot with detection rules tuned to your baseline.