The EtherSensor EtherCAP service is capable of capturing both hardware network interfaces installed in the runtime environment of Microolap EtherSensorand a special virtual device, PCAP files processing adapter, intended to process the traffic previously gathered in the tcpdump/libpcap pcap or pcapng formats.
Hardware Network Interface Settings
The information on the network interface settings and packet filters is stored in the ethcap.xml file, located in the [INSTALLDIR]\config directory. You can edit the file either in the configurator or in a text editor.
In the configurator (ethersensor_console.exe), set up the EtherSensor EtherCAP service as follows:
Fig. 9. Setting up EtherSensor EtherCAP.
MAC-address:
The MAC address of the network interface being configured. The MAC address is used in all messages sent by Microolap EtherSensor to the consumer system.
Listen:
Enables/disables capturing this adapter by the EtherSensor EtherCAP service. It can capture multiple network adapters simultaneously. The EtherSensor EtherCAP service will capture all interfaces that are not configured.
To capture an interface configured for the OS, set the value for the Listen parameter to Yes. To avoid capturing interfaces where the OS stack is not installed, set the Listen parameter for those interfaces to No.
Use RSS:
Enables/disables the use of RSS technology. Receive Side Scaling (RSS) is a technology that equally distributes the network packet processing workload among the CPU cores, optimizing the performance.
Filter:
Displays the name of the filter associated with this adapter and its usage status (Use/Do not use). You can have as many pre-prepared filters as you want, but only one of them can be used on a given network adapter at any time.
Filter name:
Selects the packet filter. Filters are stored in the [INSTALLDIR]\configethcap.xml file.
Apply:
Enables/disables the specified filter on network interface.
Protocols:
Allows you to save resources by disabling unused protocol filters. For example, if you don't need to work with instant messages, disable filters for the following protocols: DC, ICQ, IRC, MRA, MSN, SKYPE and YAHOO.
PCAP Files Processing Adapter
The PCAP files processing adapter is a special virtual device intended to process traffic previously saved in PCAP files (e.g., received in another network segment). The PCAP files processing adapter settings are identical to those for hardware adapters:
Fig. 10. PCAP files processing adapter settings.
To process PCAP files, copy them to the [INSTALLDIR]\data\capdrop directory and then use the configurator to allow the PCAP files processing adapter to capture them. PCAP files are captured in FIFO order: the first file moved to the [INSTALLDIR]\data\capdrop directory (i.e., one that has an earlier modification date in the file system) will be "captured" first, the second file will be "captured" second, etc.
If the PCAP files processing adapter is Enabled, the [INSTALLDIR]\data\capdrop directory was empty, and a PCAP file has been moved into it, this file will be captured immediately.
If the PCAP files processing adapter is Disabled, and there were PCAP files in the [INSTALLDIR]\data\capdrop directory, then file capture starts immediately after the adapter is Enabled.
Processed PCAP files are moved to the [INSTALLDIR]\data\capdrop\processed directory without any changes, so you can re-process them as many times as you want (for example, to debug filters).
Messages received by the EtherSensor EtherCAP service from PCAP files are then processed in the usual way.
Creating and Configuring Packet Filters
To create and edit packet filters, use the configurator form in the Packet filters section:
Fig. 11. Packet filter settings.
Actions on filter objects panel:
Allows for the creation, cloning and deletion of filters and their objects: groups and rules.
Filter objects properties panel:
Enables editing of filter, group and rule properties.
To open the object property editing panel, double-click the respective property: a filter, a rule group or a rule:
Fig. 12. Filter property editing panel.
Filter name:
A filter name (admins can assign any name).
Filter rule group tab:
BPF program imposes no length limits and can accommodate a large number of rules. For your convenience, you can group rules and assign intuitive names to groups.
Fig. 13. Rule group property editing panel.
Group name:
Rule group name (admins can assign any name).
Enabled checkbox:
Enables/disables a rule group.
Rules tab:
You can edit rules from both the filter level and the Rules tab of the rule group properties.
Fig. 14. Edit rule panel.
To open the edit rule action and conditions panel, double-click the rule name.
Fig. 15. Edit rule panel.
Rule type:
There are two rule types: Accept and Reject. Accept means packets that meet the rule conditions are accepted. Reject means such packets are ignored.
Warning!
Filter rules are always applied in sequence. Changing the order of the rules in a filter may radically change the results.
Source address:
The source address. For example: any or 10.0.0.0/24 or 10.0.0.0-10.0.0.255 or a comma-separated list, like 100.100.100.1-100.100.100.255, 192.168.0.0/8.
Source port:
The source port, for example: any or 80 or 80-8080 (80 through 8080), or 80-8000, 9000-10000 (80 through 8000 and 9000 through 10000).
Destination address:
The destination address. For example: any or 10.0.0.0/24 or 10.0.0.0-10.0.0.255 or a comma-separated list, like 100.100.100.1-100.100.100.255, 192.168.0.0/8.
Destination port:
The destination port, for example: any or 80 or 80-8080 (80 through 8080), or a comma-separated list, like 80-8000, 9000-10000 (80 through 8000 and 9000 through 10000).
Protocol:
One of TCP, UDP, GRE, IP6 or any.
Comment
Your comment on this filter rule.
For more information on EtherSensor EtherCAP service settings, refer to the "Manual Setup (Config File)" section.