The EtherSensor EtherCAP service is responsible for passive traffic capture on network adapters and for processing the traffic from PCAP files in the following formats: tcpdump/libpcap/pcapng.
The service extracts application-level (L7 of the OSI model) objects and passes them to the EtherSensor Analyser service for further processing.
EtherSensor EtherCAP is capable of processing the following third-level OSI model protocols:
IP:
Regular traffic
GRE:
Tunneled traffic, e.g. unencrypted Ethernet over GRE or IP-over-IP connections
IPv6-over-IPv4:
Encapsulated IPv6 protocol (normally used in large networks and trunk channels).
In any case, Microolap EtherSensor processes chiefly TCP and UDP streams.
In the current version of Microolap EtherSensor (5.1.0.13519), EtherSensor EtherCAP is capable of recognizing and processing the following popular Internet protocols used to transfer application-level data:
HTTPv1/HTTPv2:
All types of requests, messages and files
SMTP:
Outgoing email messages
POP3:
Incoming email messages
IMAP4:
Incoming and outgoing email messages
ICQ:
Outgoing and incoming instant messages, contact lists and files
DC:
Instant messages over NMDC and ADC (DC++) protocols
LOTUS:
Mail messages, calendars and Lotus Notes tasks
MRA:
Instant messages, contact list and files via Mail.Ru Agent
MSN:
Instant messages, contact list and files via MSN
XMPP:
Instant messages, contact list and files via XMPP clients (Google Talk, etc.)
IRC:
Instant messages and files
SKYPE:
Detection of skype client usage and message extraction
SSL:
Detection of SSL usage
TORRENT:
Detection of Torrent client usage
FTP:
File transfer
Yahoo:
Instant messages and files
ICAP:
Capture of data transferred over ICAP protocol
SOCKS:
Capture of data transferred over SOCKS protocol
WEBSOCKET:
Capture of data transferred over WEBSOCKET protocol
The following diagram shows how the EtherSensor EtherCAP service generally works:
Fig. 7. EtherSensor EtherCAP service operation diagram.
The EtherSensor EtherCAP service enables capture of traffic from all available Ethernet interfaces, together with monitoring the local directory to process PCAP files put into it.
Defining the required hardware resources per captured network interface, keep in mind that the average amount of RAM required to process one TCP connection is about 40 Kbyte:
Network interface bandwidth |
Amount of RAM required to cache packets being processed |
10,000 Mbit |
2,000 MB |
5,000 Mbit |
1,000 MB |
1,000 Mbit |
200 MB |
100 Mbit |
50 MB |
10 Mbit |
10 MB |
Therefore, to simultaneously monitor 10,000 TCP sessions through a 1 Gbps network interface, Microolap EtherSensor needs the following amount of available RAM:
200 MB + 10000 * 40 KB = about 600 MB
To optimize processing, the EtherSensor EtherCAP service lets you assign a packet filter to each captured network interface, as well as network protocols required for monitoring.
Ways to set up the service operation:
Fig. 8. Ways to set up the EtherSensor EtherCAP service operation.
To process PCAP files, the service simulates work with the network interface, which can be set up using the service configuration file. In the configuration file, a unique name is assigned to the network interface: capdrop. In the current version of Microolap EtherSensor (5.1.0.13519), the EtherSensor EtherCAP service supports only the two most popular PCAP file formats: tcpdump/libpcap and pcapng.
Command Line Parameters
The Windows EtherSensor EtherCAP service is set up to start automatically during Microolap EtherSensor installation. However, you can start the ethersensor_ethercap.exe process as a Windows application using the following command line parameters:
/process
Starts the ethersensor_ethercap.exe process as a regular Win32 process (may be helpful for debugging)
/service
Starts as a Windows service
/config
Saves the service default configuration