DEV.co
Open-Source Observability · dreadl0ck

netcap

Netcap is a Go-based framework that converts network traffic into structured audit records for security monitoring and forensics. It provides 83 packet decoders, stream reassembly, file extraction, and a web UI—all in a single binary.

Source: GitHub — github.com/dreadl0ck/netcap
1.8k
GitHub stars
168
Forks
Go
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorydreadl0ck/netcap
Ownerdreadl0ck
Primary languageGo
LicenseGPL-3.0 — OSI-approved
Stars1.8k
Forks168
Open issues4
Latest releasev0.9.0 (2026-04-09)
Last updated2026-07-01
Sourcehttps://github.com/dreadl0ck/netcap

What netcap is

Protocol Buffer–based network capture with concurrent architecture supporting 83 packet-layer and 40+ stream decoders, TCP/UDP reassembly, JA4 fingerprinting, YARA rule integration, and optional Hyperscan acceleration. Outputs to protobuf, CSV, JSON, or Elasticsearch.

Quickstart

Get the netcap source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/dreadl0ck/netcap.gitcd netcap# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Network Forensics & Incident Response

Extract and analyze structured audit records from PCAP files post-incident; leverage credential harvesting, file extraction, and protocol-aware detection rules to reconstruct attack chains and identify indicators.

Continuous Security Monitoring (ELK Stack)

Deploy in service mode for live capture with direct Elasticsearch ingest; build Kibana dashboards and alerts using 141+ audit record types covering reconnaissance, exfiltration, and industrial protocol anomalies.

Distributed Multi-Sensor Deployments

Use agent/collector architecture for encrypted cross-datacenter network monitoring; aggregate and correlate traffic from multiple hosts into centralized analysis with Prometheus metrics and custom detection rules.

Implementation considerations

  • Build decisions: choose between full DPI (`go build`), lightweight no-DPI, or Hyperscan-accelerated builds; Hyperscan requires libhs via pkg-config, complicating cross-platform CI/CD.
  • Stream reassembly and file extraction can consume significant memory for large pcaps or sustained traffic; configure limits and storage strategy before production deployment.
  • JA4 fingerprinting and YARA rules are powerful but require tuning; test detection rules against your traffic baseline to avoid false positives in alert pipelines.
  • GPL-3.0 obligation: any derivative distribution must open-source modifications; internal-only use is unrestricted, but external tools wrapping netcap require legal review.
  • Web UI (Vite + React) requires Node.js for development; service mode binaries include compiled assets but hot-reload development requires additional toolchain setup.

When to avoid it — and what to weigh

  • Closed-Source Commercial Product Required — GPL-3.0 license requires source distribution; cannot be embedded in proprietary closed-source tools without open-sourcing your entire derivative. Requires legal review for commercial use.
  • Very High Packet Throughput (>10 Gbps) at Wire Speed — Single-binary architecture and Go concurrency model may not sustain line-rate capture on multi-10G links without optimization; consider dedicated hardware (suricata) or kernel-space alternatives for extreme throughput.
  • Windows-Native Deployment Only — While Windows is supported, primary development and production use is Linux/macOS; Windows support stability and performance not clearly documented.
  • Zero Configuration / Plug-and-Play Expectation — Requires non-trivial setup: libpcap/libhs compilation, protocol decoder selection, rule authoring, and optional DPI/Hyperscan tuning; not suitable for no-code appliance deployments.

License & commercial use

GPL-3.0 (GNU General Public License v3.0). Permissive for modifications and redistribution *if source is provided*. Internal/research use unrestricted. Derivative works must remain GPL-3.0 compatible.

Internal commercial use (monitoring your own infrastructure) is allowed. Requires legal review before: (1) bundling into proprietary products, (2) offering as managed SaaS, or (3) distributing modified versions. GPL-3.0 copyleft obligation applies to redistributed code. Recommend consulting your legal counsel.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Netcap processes untrusted network data; consider input validation of malformed packets and DOS vectors (reassembly DoS from crafted TCP streams). Run as non-root where possible; file extraction and credential harvesting features should be gated by policy. No explicit security audit or fuzzing data provided. Protobuf schema minimizes deserialization vulns vs. JSON. Optional YARA integration assumes rule integrity; validate rule sources.

Alternatives to consider

Suricata (suricata-io/suricata)

LGPL-licensed, C-based, optimized for >10 Gbps IDS/IPS use; stronger protocol coverage and mature deployment. Trade-off: less flexible audit schema, harder to extend programmatically.

Zeek (zeek/zeek)

BSD-licensed, domain-specific language for traffic analysis, excellent protocol scripting, Elastic integration, mature. Trade-off: steeper learning curve, larger memory footprint, custom language vs. Go.

Arkime (arkime/arkime)

SSPL (Server Side Public License), full-stack capture + search + UI; tightly integrated Elasticsearch. Trade-off: SSPL restrictions on SaaS offerings, requires multi-node ES cluster.

Software development agency

Build on netcap with DEV.co software developers

Netcap excels in forensics, continuous monitoring, and distributed sensor deployments. Evaluate GPL-3.0 licensing constraints, compile with appropriate DPI/Hyperscan flags, and pilot with detection rules tuned to your baseline.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

netcap FAQ

Can I use Netcap in a commercial product?
Internal use (monitoring your own infra) is unrestricted. Bundling into a closed-source product requires source distribution due to GPL-3.0 copyleft. Consult legal before SaaS or white-label offerings.
What's the performance impact of DPI, Hyperscan, and YARA rules?
Not quantified in provided data. Hyperscan docs claim ~2.2× speedup for nmap probes and up to ~6× on miss-heavy detection traffic. Requires benchmarking against your traffic patterns; optional tags (nodpi, hyperscan) let you tune CPU/memory trade-offs.
Does Netcap replace my IDS/IPS?
No. Netcap is a detection/analysis framework; it generates alerts via rules and extracts forensic artifacts. Suricata or Zeek handle inline blocking. Netcap complements them for post-incident analysis and ML pipelines.
How do I deploy this at scale?
Agent/collector architecture supports distributed multi-sensor setups with encrypted communication. Aggregate into Elasticsearch for centralized search and alerting. Prometheus metrics enable ops dashboards. Horizontal scaling requires multiple collectors.

Software developers & web developers for hire

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If netcap is part of your open-source observability roadmap, our team can implement, customize, migrate, and maintain it.

Ready to Deploy Netcap for Network Security?

Netcap excels in forensics, continuous monitoring, and distributed sensor deployments. Evaluate GPL-3.0 licensing constraints, compile with appropriate DPI/Hyperscan flags, and pilot with detection rules tuned to your baseline.