netcap command
netcap shows an overview of network-related processes and their capabilities
Typical usage: information gathering, process analysis, system hardeningIntroduction into netcap
The netcap utility shows the current capabilities for processes that are using network sockets.
When running the netcap command it will retrieve the active processes that have network sockets opened. For each of those processes, it will show what capabilities they have assigned. If they are unrestricted, in other words all capabilities, it will show full in the capabilities column.
Special characters are the @, meaning ambient capabilities, and + to show open-ended bounding set, meaning it is not restricted.
This tool is very helpful to quicly focus on network-related applications and see what capabilities they have. This may help in system hardening efforts, for example by using a hardening profile to systemd services.
Example output
Example of running netcap as the root user.
# netcap
ppid pid acct command type port capabilities
1 20728 root nginx tcp 80 full +
1 515 root sshd tcp 22 full +
515 552 root sshd tcp 22 full +
515 15485 root sshd tcp 22 full +
1 20728 root nginx tcp6 80 full +
1 515 root sshd tcp6 22 full +
1 403 root dhclient udp 68 dac_override, net_bind_service, net_admin, net_raw +
1 403 root dhclient pkt enp1s0 dac_override, net_bind_service, net_admin, net_raw +
Installation
When netcap is not installed by default, it can be added to the system using the relevant software package.
Package information for netcap
| Operating system | Package name | Installation |
|---|---|---|
| AlmaLinux | libcap-ng-utils | |
| Arch Linux | libcap-ng-utils | |
| Debian | libcap-ng-utils | |
| Fedora | libcap-ng-utils | |
| Red Hat Enterprise Linux | libcap-ng-utils | |
| Rocky Linux | libcap-ng-utils | |
| Ubuntu | libcap-ng-utils | |
Your Linux distribution using a different package? Share your feedback.
Usage
Frequently Asked Questions
What is the netcap command and its purpose?
The Linux command netcap shows an overview of running processes and what capabilities they have. This applies to those that are using active network sockets.
Which package provides the netcap command?
The command netcap is provided by the libcap-ng-utils package.
Related and similar commands
Linux has a lot of tools and commands available and sometimes you just need that little other tool. Here is a list of commands that are similar or related to netcap:
| Command | Category | Summary |
|---|---|---|
| capsh | capabilities | Linux capabilities testing and debugging tool |
| captest | capabilities | Capabilities and privilege escalation testing tool |
| filecap | capabilities | Display of Linux capabilities set on binaries in paths |
| firejail | sandboxing | Sandboxing tool for Linux |
| getcap | capabilities | Show file capabilities |
| getpcaps | capabilities | Show process capabilities |
| iftop | network | Bandwidth usage monitor |
| pscap | capabilities | Display available capabilities for running processes |
| resolvectl | network | Name resolution information from resolve daemon |
| setcap | capabilities | Add or remove Linux capabilities to a file |
Also 💙 the command-line or terminal? Here is a set of cheat sheets for Linux to get more done from within the shell: