These commits are when the Protocol Buffers files have changed: (only the last 100 relevant commits are shown)
| Commit: | f187618 | |
|---|---|---|
| Author: | Philipp Mieden | |
refactor: rename IPProfile audit record to Host Rename audit record type IPProfile -> Host across the codebase. To free up the Host name (previously used for HTTP Hostname Maltego entity), also rename the existing netcap.Host entity to netcap.HTTPHost. IPProfile -> Host: - proto: NC_IPProfile -> NC_Host, message IPProfile -> Host - types/ip_profile.go -> types/host.go (type, vars, methods) - decoder/packet/ip_profile.go -> decoder/packet/host.go (atomicIPProfileMap -> atomicHostMap, ipProfiles -> hosts, ipProfile wrapper -> hostEntry, ResetIPProfiles -> ResetHosts, updateIPProfile -> updateHost, etc.) - on-disk filename IPProfile.ncap.gz -> Host.ncap.gz - io/elastic.go switch case IPProfile -> Host - maltego/ip_profile.go -> maltego/host.go (LoadIPProfiles -> LoadHosts, IPProfileTransform -> HostTransform, IPProfileTransformationFunc -> HostTransformationFunc, ipProfileCountFunc -> hostCountFunc) - Maltego entity netcap.IPProfile -> netcap.Host (InternalIPProfile -> InternalHost, ExternalIPProfile -> ExternalHost, IPProfileAuditRecords -> HostAuditRecords) - Maltego transforms ToIPProfiles* -> ToHosts* - Webui: IPProfileSummary -> HostSummary, readIPProfiles -> readHosts, getIPProfileGeolocations -> getHostGeolocations, getIPProfileScatter3DData -> getHostScatter3DData, readJA4FromIPProfile -> readJA4FromHost - Frontend: value="IPProfile" -> value="Host" in MenuItem, chart map keys, dashboard text Conflict resolution (existing netcap.Host -> netcap.HTTPHost): - maltego/entity_generation_test.go: "Host" -> "HTTPHost" - maltego/transform_generation_test.go: netcap.Host -> netcap.HTTPHost - cmd/transform/ToHTTPHostNames.go: netcap.Host -> netcap.HTTPHost - cmd/transform/ToHTTPHostsFiltered.go: netcap.Host -> netcap.HTTPHost - New maltego/netcap/Entities/netcap.HTTPHost.entity for the renamed entity (parent type netcap.IPAddr, icon web_black) Also rename existing toHosts (POP3-specific filter) -> toPOP3Hosts to free up the toHosts function name for the new Hosts list transform. Breaking changes: - old IPProfile.ncap.gz files cannot be read by the new code - existing Maltego installations need .mtz archives regenerated via 'zeus gen-maltego-config' (env-dependent, not run here) - proto bindings for cpp/csharp/swift/js were not regenerated; only Go binding was updated via 'protoc --gogofaster_out=types/. netcap.proto'
| Commit: | db7ca93 | |
|---|---|---|
| Author: | Philipp Mieden | |
refactor: rename Credentials audit record to Secret Rename audit record type Credentials -> Secret across the codebase: - proto: NC_Credentials -> NC_Secret, message Credentials -> Secret - types/credentials.go -> types/secret.go (type, vars, methods) - decoder/stream/credentials/ -> decoder/stream/secret/ (package + dir) - on-disk filename Credentials.ncap.gz -> Secret.ncap.gz - WriteCredentials -> WriteSecret, ResetCredStore -> ResetSecretStore - Maltego entity netcap.Credentials -> netcap.Secret - Maltego entity netcap.CredentialsAuditRecords -> netcap.SecretAuditRecords - HTTP API /api/credentials/* -> /api/secrets/* - Frontend route /credentials -> /secrets - Frontend page CredentialsPage -> SecretsPage - Test fixture renamed (existing data needs regeneration) - Maltego icons regenerated separately via 'zeus gen-icons' Breaking changes: - old Credentials.ncap.gz files cannot be read by the new code - existing Maltego installations need .mtz archives regenerated via 'zeus gen-maltego-config' (env-dependent, not run here) - proto bindings for cpp/csharp/swift/js were not regenerated; only Go binding was updated via 'protoc --gogofaster_out=types/. netcap.proto'
| Commit: | 5cfdbc8 | |
|---|---|---|
| Author: | Philipp Mieden | |
protobuf support in ui
| Commit: | dfa4415 | |
|---|---|---|
| Author: | Philipp Mieden | |
Add generic protobuf wire format stream decoder Detect and decode arbitrary Protocol Buffer messages on the wire without requiring a schema. The decoder uses heuristic detection (wire type distribution, varint patterns, Shannon entropy) and parses all six wire types including recursive nested message support. - New stream decoder registered on ports 9090 and 50051 (gRPC) - Fields keyed as type_fieldnum (e.g. varint_1, string_2) with wire order preserved in FieldOrder - Entropy calculation respects CalculateEntropy config flag - Proto type NC_Protobuf = 145 with map<string,string> Fields - Unit tests (11 suites) and integration tests (6 suites, 3 benchmarks) - No false positives on HTTP, CIP, S7Comm test PCAPs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
| Commit: | 6e3f02e | |
|---|---|---|
| Author: | Philipp Mieden | |
yara and magika support
| Commit: | a028e80 | |
|---|---|---|
| Author: | Philipp Mieden | |
support for additional protocols
| Commit: | 09c3a97 | |
|---|---|---|
| Author: | Philipp Mieden | |
device enrichment with discovery fields, refined credential harvesters
| Commit: | 09c2630 | |
|---|---|---|
| Author: | Philipp Mieden | |
fix: ensure CommunityID is set on all fingerprint records (JA4T, JA4, JA4S) Three issues prevented CommunityID from appearing on fingerprint records: 1. CommunityID computation in the worker was gated behind the AddContext config flag — moved it outside so it's always calculated. 2. Packet decoders (TLS, TCP) didn't receive PacketContext. Extended DecoderAPI.Decode to accept *PacketContext and apply it via SetPacketContext, matching what GoPacketDecoder already does. Removed redundant per-packet CalcCommunityID calls from TLS decoders. 3. Added CommunityID field to TCP proto message and updated SetPacketContext, CSV, and Encode methods. Fixed the webui JA4T/JA4TS fingerprint handler to populate communityIDs on the aggregator. Includes integration test that processes https.pcap with AddContext=false and verifies all TCP/JA4T, TLSClientHello, and TLSServerHello records have non-empty CommunityIDs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
| Commit: | 80f1d6c | |
|---|---|---|
| Author: | Philipp Mieden | |
ui improvements
| Commit: | 361f791 | |
|---|---|---|
| Author: | Philipp Mieden | |
file extraction engine, dedup and decompress
| Commit: | f57e6fc | |
|---|---|---|
| Author: | Philipp Mieden | |
feat: corelight community ids
| Commit: | 798f470 | |
|---|---|---|
| Author: | Philipp Mieden | |
various ui improvements
| Commit: | 19c7c12 | |
|---|---|---|
| Author: | Philipp Mieden | |
feat: quic support and ja4
| Commit: | 724359a | |
|---|---|---|
| Author: | Philipp Mieden | |
sip improvements
| Commit: | fcd4c01 | |
|---|---|---|
| Author: | Philipp Mieden | |
improve ethernetctp, ui improvements
| Commit: | c4c9399 | |
|---|---|---|
| Author: | Philipp Mieden | |
feat: more industrial protocols
| Commit: | 2f94822 | |
|---|---|---|
| Author: | Philipp Mieden | |
more credential harvesters
| Commit: | 11e8364 | |
|---|---|---|
| Author: | Philipp Mieden | |
feat: more protos, more fields
| Commit: | 116bce4 | |
|---|---|---|
| Author: | Philipp Mieden | |
feat: new file extraction framework and additional audit record types
| Commit: | f4b153c | |
|---|---|---|
| Author: | Philipp Mieden | |
feat: TLSCertificate audit records and new pages
| Commit: | a2e95a9 | |
|---|---|---|
| Author: | Philipp Mieden | |
ui fixes
| Commit: | 7d08e3a | |
|---|---|---|
| Author: | Philipp Mieden | |
extending credential harvesters
| Commit: | 2d1cf58 | |
|---|---|---|
| Author: | Philipp Mieden | |
feat: ui view raw conversation streams and download pcap, services page
| Commit: | 665bfa1 | |
|---|---|---|
| Author: | Philipp Mieden | |
wip: webUI and rules + alerting engine
| Commit: | 8c19644 | |
|---|---|---|
| Author: | Philipp Mieden | |
fix: various issues, roadmap, upgrade gopacket, enable cip,enip again, default decode opt datagrams in capture mode
| Commit: | e58ad21 | |
|---|---|---|
| Author: | Philipp Mieden | |
feat: dpi results for additional audit record types
The documentation is generated from this commit.
| Commit: | 9bb050d | |
|---|---|---|
| Author: | Philipp Mieden | |
chore: switch to new releases of deps ja3,go-dpi and tlsx that use gopacket/gopacket, disable modbus,cip,enip,diameter decoders until they are available in gopacket/gopacket
| Commit: | 4e8216f | |
|---|---|---|
| Author: | Cursor Agent | |
Changes from background composer bc-dfb12fc6-3a7c-4e86-9fef-32ba6a758f76
| Commit: | dcf3741 | |
|---|---|---|
| Author: | Philipp Mieden | |
connection proto updates
| Commit: | e313e97 | |
|---|---|---|
| Author: | Philipp Mieden | |
update proto defs for connection flow volume tracking
| Commit: | e33f53b | |
|---|---|---|
| Author: | Philipp Mieden | |
modeled alerts, field type updates
| Commit: | d66ea7f | |
|---|---|---|
| Author: | Philipp Mieden | |
formatting, renamed field for Ja3 hashmap on profile audit records
| Commit: | 58a7518 | |
|---|---|---|
| Author: | Philipp Mieden | |
move port stats into dedicated structure to avoid alignment issues on ARM
| Commit: | 61a3f39 | |
|---|---|---|
| Author: | Philipp Mieden | |
pop3: save command sequence
| Commit: | d028984 | |
|---|---|---|
| Author: | Philipp Mieden | |
bootstrapped SMTP stream parser
| Commit: | 3a6b981 | |
|---|---|---|
| Author: | Philipp Mieden | |
removed flow audit records, fixed lookup DHCP fingerprints transforms
| Commit: | 39a4b08 | |
|---|---|---|
| Author: | Philipp Mieden | |
added to contacted ports transform
| Commit: | 56c4a65 | |
|---|---|---|
| Author: | Philipp Mieden | |
add open in disassembler transform, fixed to cookie and to params transforms on host entities, added support to show all http headers and values for a given host
| Commit: | a086072 | |
|---|---|---|
| Author: | Philipp Mieden | |
use cookie for frontend framework detection, cleanup
| Commit: | c2d3049 | |
|---|---|---|
| Author: | Philipp Mieden | |
improved build process, added option to compile without dynamically linked dpi libs
| Commit: | f2ea4c2 | |
|---|---|---|
| Author: | Philipp Mieden | |
fmt
| Commit: | 42e2a56 | |
|---|---|---|
| Author: | Philipp Mieden | |
added a service port to name mapping for service probe matching, to make an educated guess which signatures to try first
| Commit: | 6c5b279 | |
|---|---|---|
| Author: | Philipp Mieden | |
improved port modeling on ipprofiles
| Commit: | a4dea8c | |
|---|---|---|
| Author: | Philipp Mieden | |
POP3: move mails into dedicated audit record file and cross reference via IDs
| Commit: | a13b54b | |
|---|---|---|
| Author: | Philipp Mieden | |
write IP profile into dedicated audit record file
| Commit: | a4fe5ef | |
|---|---|---|
| Author: | Philipp Mieden | |
added command to format the protobuf definitions
| Commit: | e4051c8 | |
|---|---|---|
| Author: | Philipp Mieden | |
removed Context from structures, added fields directly
| Commit: | cb91b10 | |
|---|---|---|
| Author: | Philipp Mieden | |
made all timestamps numeric
| Commit: | 0572f97 | |
|---|---|---|
| Author: | Philipp Mieden | |
changed dhcp type for option data field to string
| Commit: | 72bbeaf | |
|---|---|---|
| Author: | Philipp Mieden | |
store service banners as strings
| Commit: | 0d06a5e | |
|---|---|---|
| Author: | Philipp Mieden | |
dns audit records: change name fields to type string
| Commit: | 0d78caf | |
|---|---|---|
| Author: | Philipp Mieden | |
added support to capture payloads for http requests and responses, return an error for ReadHeader(), added packets per second to progress log, added profiling with fgprof, added zeus commands for profiling, move membuffer before the compression step, since pgzip acts as a buffer as well, graphics update, allow to ignore custom encoder init errors in config, rename NoDefrag config Option to DefragIPv4
| Commit: | 17a6f73 | |
|---|---|---|
| Author: | Philipp Mieden | |
refactored service probe matching and added unit tests
| Commit: | 278ebaa | |
|---|---|---|
| Author: | Philipp Mieden | |
added exploit audit records and refactored queries for bleve databases
| Commit: | 2fc7213 | |
|---|---|---|
| Author: | Philipp Mieden | |
enrich software and vuln maltego entities
| Commit: | 79b4792 | |
|---|---|---|
| Author: | Philipp Mieden | |
maltego iteration, added support for vulnerability audit records
| Commit: | 6b45e2c | |
|---|---|---|
| Author: | Philipp Mieden | |
added vulnerability audit records, go fmt project
| Commit: | 773a5a0 | |
|---|---|---|
| Author: | Philipp Mieden | |
prepare dhcp fingerprinting, add option to resolve service ips to hostnames via dns lookup with -reverse-dns flag
| Commit: | a04c767 | |
|---|---|---|
| Author: | Philipp Mieden | |
deduplicate services and store all flows towards a service
| Commit: | f200bb5 | |
|---|---|---|
| Author: | Philipp Mieden | |
bootstrapped SSH audit records
| Commit: | 78d7490 | |
|---|---|---|
| Author: | Philipp Mieden | |
service audit records: save num bytes seen for server and client
| Commit: | 765857e | |
|---|---|---|
| Author: | Philipp Mieden | |
bootstrapped credentials audit records and use it to capture http basic auth and pop3 credentials
| Commit: | 04b4cb0 | |
|---|---|---|
| Author: | Philipp Mieden | |
testing and fixes for the service banner regexes, added support for using a different RE engine that supports backtracking
| Commit: | ee586c0 | |
|---|---|---|
| Author: | Philipp Mieden | |
software audit records: collect flows when updating a record
| Commit: | 9bc4875 | |
|---|---|---|
| Author: | Philipp Mieden | |
updated software fields, preserve full parsed client info for debugging
| Commit: | 2765357 | |
|---|---|---|
| Author: | Philipp Mieden | |
extended service, cleanup and roadmap
| Commit: | a8c1d2c | |
|---|---|---|
| Author: | Philipp Mieden | |
added service audit record for banner grabbing
| Commit: | 520dd7a | |
|---|---|---|
| Author: | Philipp Mieden | |
testing, notes and fixed race in tcp stream reader
| Commit: | 84ef4e1 | |
|---|---|---|
| Author: | Philipp Mieden | |
cleanup
| Commit: | 984f87c | |
|---|---|---|
| Author: | Philipp Mieden | |
bootstrapped software audit records
| Commit: | 4f833d8 | |
|---|---|---|
| Author: | Philipp Mieden | |
removed layer flows
| Commit: | c23ff7b | |
|---|---|---|
| Author: | Philipp Mieden | |
testing and cleanup
| Commit: | 0368d11 | |
|---|---|---|
| Author: | Philipp Mieden | |
added TLSServerHello audit records and renamed TLS records to TLSClientHello
| Commit: | 75c051d | |
|---|---|---|
| Author: | Philipp Mieden | |
cleanup
| Commit: | deaa52d | |
|---|---|---|
| Author: | Philipp Mieden | |
pop3 attachments, version bump
| Commit: | 2ec21cc | |
|---|---|---|
| Author: | Philipp Mieden | |
HTTP POST parameter extraction, add host to file info, added URL reference to file source field, match file types on the part before the semicolon, to avoid exotic encodings breaking the matching
| Commit: | 2ddc3e0 | |
|---|---|---|
| Author: | Philipp Mieden | |
stream reassembly refactoring: switched to using on assembler per worker with a shared stream pool
| Commit: | 5905d33 | |
|---|---|---|
| Author: | Philipp Mieden | |
implemented GetApplicationCategories and GetApplicationsForCategory
| Commit: | aeb225f | |
|---|---|---|
| Author: | Philipp Mieden | |
added POP3 support and first experimental mail extraction plugin for maltego
| Commit: | 49969f5 | |
|---|---|---|
| Author: | Philipp Mieden | |
added experimental POP3 parsing support
| Commit: | b7c39fd | |
|---|---|---|
| Author: | Philipp Mieden | |
implemented diameter decoder
| Commit: | 6b5bd9e | |
|---|---|---|
| Author: | Philipp Mieden | |
added SMTP decoding support
| Commit: | e49e2bb | |
|---|---|---|
| Author: | Philipp Mieden | |
modeled http cookies and addeed maltego plugin
| Commit: | d932559 | |
|---|---|---|
| Author: | Philipp Mieden | |
cleanup
| Commit: | 775a01f | |
|---|---|---|
| Author: | Philipp Mieden | |
implement CSV generation for DeviceProfile, added File audit record type
| Commit: | 557f8fc | |
|---|---|---|
| Author: | Philipp Mieden | |
http: added fields for detected content type, added file extraction for http POST, fix files being saved outside of files folder when generating paths for existing targets, improved mapping of content types to file extensions
| Commit: | 1461527 | |
|---|---|---|
| Author: | Philipp Mieden | |
implemented service lookups for ports
| Commit: | ace955d | |
|---|---|---|
| Author: | Philipp Mieden | |
added more stats and bootstrapped maltego integration
| Commit: | 697cef0 | |
|---|---|---|
| Author: | Philipp Mieden | |
added nDPI
| Commit: | 2046a94 | |
|---|---|---|
| Author: | Philipp Mieden | |
added cached ja3 lookups, added caching for DNS lookups, added timestamps to profiles
| Commit: | a1dadea | |
|---|---|---|
| Author: | Philipp Mieden | |
added descriptive comments about protocols to proto defs
| Commit: | b109cb9 | |
|---|---|---|
| Author: | Philipp Mieden | |
added type definitions for DeviceProfile and IPProfile
| Commit: | 2e4b029 | |
|---|---|---|
| Author: | dreadl0ck | |
implemented ENIP
| Commit: | 2d4e502 | |
|---|---|---|
| Author: | dreadl0ck | |
implemented support for Common Industrial Protocol
| Commit: | 22132f5 | |
|---|---|---|
| Author: | dreadl0ck | |
updated modbus
| Commit: | eb7de3f | |
|---|---|---|
| Author: | Philipp Mieden | |
implemented adding context information to audit records
| Commit: | bd9d4d1 | |
|---|---|---|
| Author: | Philipp Mieden | |
added comment to http audit record enhanced fields
| Commit: | 3828193 | |
|---|---|---|
| Author: | Philipp Mieden | |
added new HTTP fields
| Commit: | 7eb4b36 | |
|---|---|---|
| Author: | Philipp Mieden | |
added optional payloads for modbusTCP
| Commit: | abb2158 | |
|---|---|---|
| Author: | Philipp Mieden | |
added gogo proto gode generator for faster protobuf serialization, renamed Size field from several audit records to TotalSize to resolve conflict with generated Size() func