Sensor Settings > Message Sources > EtherSensor EtherCAP

The EtherSensor EtherCAP service configuration is stored in the ethcap.xml file located in the Microolap EtherSensor common configuration directory. [INSTALLDIR]\config

<?xml version="1.0" encoding="utf-8"?>
<EtherCapConfig version="4.2"
flow_count="16"
flow_buff_count="512"
flow_buff_size="524288">
<NetworkAdapters>
<NetworkAdapter enabled="true" rss="true" mac="00-1F-C6-2D-EA-40"
description="Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller">
<Filter enabled="true" name="internet" />
<Protocol enabled="true" name="dc" />
<Protocol enabled="true" name="ftp" />
<Protocol enabled="true" name="http" />
<Protocol enabled="true" name="icq" />
<Protocol enabled="true" name="imap4" />
<Protocol enabled="true" name="irc" />
<Protocol enabled="true" name="lotus" />
<Protocol enabled="true" name="mra" />
<Protocol enabled="true" name="msn" />
<Protocol enabled="true" name="pop3" />
<Protocol enabled="true" name="skype" />
<Protocol enabled="true" name="smtp" />
<Protocol enabled="true" name="ssl" />
<Protocol enabled="true" name="xmpp" />
<Protocol enabled="true" name="yahoo" />
</NetworkAdapter>
<NetworkAdapter enabled="true" mac="capdrop"
description="PCAP files processing adapter">
<Filter enabled="true" name="default" />
<Protocol enabled="true" name="dc" />
<Protocol enabled="true" name="ftp" />
<Protocol enabled="true" name="http" />
<Protocol enabled="true" name="icq" />
<Protocol enabled="true" name="imap4" />
<Protocol enabled="true" name="irc" />
<Protocol enabled="true" name="lotus" />
<Protocol enabled="true" name="mra" />
<Protocol enabled="true" name="msn" />
<Protocol enabled="true" name="pop3" />
<Protocol enabled="true" name="skype" />
<Protocol enabled="true" name="smtp" />
<Protocol enabled="true" name="ssl" />
<Protocol enabled="true" name="xmpp" />
<Protocol enabled="true" name="yahoo" />
</NetworkAdapter>
</NetworkAdapters>

<Filters>

<Filter name="default">
<RuleGroup enabled="true" name="">
<Rule
type="accept"
src="any"
srcport="any"
dst="any"
dstport="any"
proto="tcp"
comment="Comment to the rule" />
</RuleGroup>
</Filter>

<Filter name="internet">
<RuleGroup enabled="true" name="">
<Rule
type="reject"
src="192.168.0.1"
srcport="any"
dst="any"
dstport="any"
proto="tcp"
comment="Comment to the rule" />
<Rule
type="reject"
src="*"
srcport="any"
dst="192.168.0.1"
dstport="any"
proto="tcp" />
<Rule
type="accept"
src="any"
srcport="any"
dst="any"
dstport="any"
proto="tcp" />
</RuleGroup>
</Filter>

</Filters>
</EtherCapConfig>

EtherCapConfig tag

This is the root tag of the service configuration. The version attribute specifies the configuration files version.

The flow_count attribute is used to specify the number of simultaneously processed threads. All captured traffic is equally distributed among the processing threads. The traffic distribution occurs at the operation system kernel level; this ensures parallel data processing.

The flow_buff_count attribute is used to specify the number of data buffers in the traffic processing thread. Together with the flow_buff_size attribute, it specifies the amount of static memory to be used for a single processing thread.

The flow_buff_size attribute specifies the size of the data buffer in the traffic processing thread. Provide a value in bytes. Together with the flow_buff_count attribute, it specifies the amount of static memory to be used for a single processing thread. The amount of memory for a single thread will be (flow_buff_count * flow_buff_size) = (512 * 524288 = 256 MB)

Warning!
The above-listed attributes are used for fine configuration of Microolap EtherSensor and require a sophisticated understanding of how the product operates. Don't experiment with them in a live system!

NetworkAdapters tag

Defines the settings of the network interfaces being captured.

NetworkAdapter tag

The NetworkAdapter tag is nested within the NetworkAdapters tag. It specifies the description of settings for each particular network interface. The enabled attribute specifies the network interface activity status. If it is set to false, the network interface will not be used in data processing (i.e., the traffic from this interface will be ignored).

The rss attribute is used to use Receive Side Scaling (RSS) technology. This technology equally distributes the network packet processing workload among the CPU cores, optimizing the performance.

The mac attribute is used to specify the name of the network interface. This attribute is read-only. The description attribute contains a description of the network interface. Admins can provide any value for this attribute.

The Filter Tag

The Filter tag is nested within the NetworkAdapter tag. It specifies a description for the IP filter used for a particular network adapter. The enabled attribute specifies the IP filter usage status. If it is set to false, no IP filter will be used to process data from this network interface. The name attribute specifies the name of the IP filter profile. IP filter profiles are specified in the Filters tag.

The Protocol Tag

The Protocol tag is nested within the NetworkAdapter tag. It specifies a description for the Internet protocol used to process data. The enabled attribute specifies the Internet protocol usage status. If it is set to false, this Internet protocol will be ignored for this network interface. The name attribute specifies the Internet protocol name. This attribute is read-only.

Example 1:

Network interface settings to capture a client's DC, ICQ, IRC, MRA, MSN, XMPP/Jabber and/or Yahoo messages:

Filters tag

Defines IP filter profile settings.

Filter tag

The Filter tag is nested within the Filters tag. It specifies a description of the IP filter settings. The name attribute specifies the name of the IP filter profile. This attribute value may be used as the NetworkAdapter/Filter/name attribute value to specify the IP filter for the network interface.

The RuleGroup Tag

The RuleGroup tag is nested within the Filter tag. It is used to group filter rules related to a particular traffic filtering problem. The name attribute defines the name (description) of the filter rule group. The value for this attribute may be empty.

Rule tag

The Rule tag is nested within the RuleGroup tag. It specifies a description for the network traffic filter rule. The type attribute specifies the rule type. If it is set to accept, then network packets that match the rule will be passed for further processing. If it is set to reject, then network packets that match the rule will be rejected. The src, dst attributes specify an IP address, a range of IP addresses or network parameters to filter necessary IP addresses that match the specified value. In the comment attribute, you can provide a comment for the packet filter rule.

Example 2:

Reject packets passing between 10.1.5.10, 10.1.5.15-10.1.5.59 machines and 10.1.6.0/255.255.255.0 network:

The srcport, dstport attributes specify TCP ports or a range of TCP ports for filtering.

Example 3:

Reject packets passing between 10.1.5.10, 10.1.5.15-10.1.5.59 machines and 10.1.6.0/255.255.255.0 network on ports 80, 443-1024:

The rules are applied in a linear fashion, i.e. from top to bottom The top line is the first filter instruction, and the bottom line is the last one. Each line rejects or accepts only the type of packets it describes. Therefore, to reject a connection between two hosts or a group of hosts, you need to reject the traffic in both directions.

Example:

Also, remember that, if no filter rule is defined, all traffic will be accepted. Conversely, if filter rules exist, only the traffic defined by these rules will be processed.

Example:

1. Receive all connections only to/from 10.31.5.57

2. To reject a group of hosts, you need first to reject this group's packets, and then to accept all other packets; otherwise, all traffic will be passed without being analyzed:

This allow you to reject traffic from one side of a proxy server.

3. If you define rules that accept traffic only from certain hosts and reject the remaining traffic, only traffic from these hosts will be processed:

Manual Setup (Config File)

Manual Setup (Config File)