Malakocut is a high-performance Network Detection and Response (NDR) agent designed for home laboratories and small networks. It captures traffic from a SPAN/Mirror port, provides a real-time "top-like" visualization of active network flows, and maintains a rolling 48-hour raw PCAP journal for forensic investigation.
Malakocut can run in Standalone Mode (local monitoring) or Cloud Mode (integrated with Google SecOps/Chronicle).
- Engine: Uses
google/gopacketwithAF_PACKETzero-copy memory-mapped buffers. - Accuracy: Synchronous decoding pipeline eliminates buffer races and ensures 100% packet accuracy at multi-gigabit speeds.
- Protocol Support: Native support for Ethernet, 802.1Q (VLAN), IPv4, IPv6, TCP, UDP, ICMPv4, and ICMPv6.
Instead of just logging packets, Malakocut maintains a persistent in-memory Flow Table:
- Cumulative Tracking: Sessions are tracked for their entire lifetime (hours or days).
malakocut-cli topshows real-time cumulative totals for bytes and packets. - Delta Exports: Long-running sessions are "checkpointed" every 5 minutes and exported as incremental deltas to the configured backend.
- Freshness: Track "idleness" at sub-second granularity to see exactly when a session last moved data.
- Standalone: Run purely as a local monitor.
- Google SecOps: Stream stateful flow telemetry directly to Google Chronicle for long-term retention and threat hunting.
To save on storage and SIEM costs, Malakocut includes a DNS-based "Shunt" filter:
- Blocklist: User-editable via
configs/blocklist.conf. - Function: When a DNS query matches a streaming service (e.g., Netflix, YouTube, Prime Video), the entire flow is silenced.
Malakocut is written in Go. You can build both the daemon and the CLI tool using the provided Makefile.
# Build standard version
make build
# (Optional) Build with SecOps support explicitly (if future build tags are added)
make build-secopsThe install target handles binary placement, systemd service setup, and default configuration.
sudo make installThis will:
- Install
malakocutandmalakocut-clito/usr/local/bin/. - Copy configuration templates to
/etc/malakocut/. - Create a default environment file at
/etc/default/malakocut. - Install the systemd service.
In standalone mode, Malakocut provides local flow visibility without external dependencies.
- Edit
/etc/default/malakocut:MALAKOCUT_INTERFACE="enp3s0" MALAKOCUT_EXPORTER="none"
- Enable and start the service:
sudo systemctl enable --now malakocut
Cloud mode streams stateful telemetry to Google Chronicle.
- Obtain Credentials: Download your Google Cloud Service Account JSON key.
- Deploy Key: Save it to
/etc/malakocut/secops_key.json. - Edit
/etc/default/malakocut:MALAKOCUT_INTERFACE="enp3s0" MALAKOCUT_EXPORTER="secops" CHRONICLE_CUSTOMER_ID="your-uuid-here" GOOGLE_APPLICATION_CREDENTIALS="/etc/malakocut/secops_key.json"
- Restart Service:
sudo systemctl restart malakocut
The malakocut-cli tool provides real-time visibility into the daemon's internal state.
sudo ./malakocut-cli status
# Use -resolve and -pretty for better readability
sudo ./malakocut-cli -resolve -pretty statussudo ./malakocut-cli topInteractive Shortcuts:
q: Quit.b/p/d/i/o: Sort by Bytes, Packets, Duration, Idleness, or Protocol.f: Cycle Protocol Filter (All, TCP, UDP, ICMP).x: Toggle Remote-only (Excludes internal-to-internal traffic).r: Toggle DNS & ICMP Resolution (Resolves hostnames and ICMP names).h: Toggle Human-readable Scaling (K, M, G, etc.).m: Toggle Noise (Multicast/Broadcast) visibility.
- Logs:
tail -f /var/log/malakocut.logorjournalctl -u malakocut -f - PCAP Data: Stored in
/var/lib/malakocut/pcap/(Rolling 48h window). - Blocklist: Edit
/etc/malakocut/configs/blocklist.confthen restart.