execap is an information security tool for capturing Windows
executables as they are transmitted or received. This is somewhat
inspired by Driftnet which captures images in transmission. The goal
is to be able to run execap in a similar manner as an IDS/IPS to
monitor and discover malware being transmitted or loaded onto client
machines.

execap is written to be much faster than similar code such as
Driftnet. On a modern CPU it can easily keep up at 1 Gbps. For
example, execap was run for ~60 days on a 10 Gbps link that averages
~1 Gbps and during the day often bursts to 6+ Gbps. execap processed
550 TB of network traffic and extracted 300,000 executables with a
packet loss of 0.00062 (0.062%). Minor tweaks and improvements can
(and will) be made to further improve performance and reduce packet
loss.

To compile execap you'll want to run './configure' and then 'make'.
A static makefile 'Makefile.static' is included which may make it
easier to build execap on a system with odd library paths.