Decoder: Configure Capture Settings

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Oct 11, 2017
Version 6Show Document
  • View in full screen mode
 

When initially setting up the Decoder, configuring the network adapter interface is required. Additional optional capture settings are available; two that are frequently used are the Berkeley Packet Filter, and Capture Autostart.

Decoder configuration workflow with Configure Capture Settings, the first step, highlighted.

Besides the basic network adapter interface setup, you may decide to use one of the special-purpose configurations described in (Optional) Preserve VLAN Tags When Using the Packet MMAP Capture Interface or (Optional) Configure a Decoder to Capture Data Across All Types of Network Interfaces

The rest of the capture settings have default values chosen to be effective in most cases (see a detailed list in Services Config View - General Tab). You can adjust these in some circumstances, for example, if Customer Support advises a change. You can edit the capture settings at any time.

Select a Network Adapter

The table below describes the Netword Adapter settings for a Decoder. The system administrator sets the default network adapters when the Decoder is installed. Consult your System Administrator for more information.

                       
Adapter ParameterDescription
Berkley Packet Filter Berkeley Packet Filters (BPF) are applied to the packet stream before the packets are copied to the Decoder adapter for analysis. This allows unwanted traffic to be efficiently discarded. However, any packets discarded are not accounted for in any Decoder statistics (capture rate, packets dropped, and packets filtered and total packets).
Capture Interface Selected Select an adapter through which the Decoder captures packets. For the lower speed internal capture interface, use the packet_mmap_,7,eth1 adapter, which corresponds to the monitor port located on the motherboard. There are six additional capture ports:
  • packet_mmap_,1,lo (bpf)
  • packet_mmap_,2,eth2 (bpf)
  • packet_mmap_,3,eth3 (bpf)
  • packet_mmap_,4,eth4 (bpf)
  • packet_mmap_,5,eth5 (bpf)
  • packet_mmap_,8,ALL (bpf)
There are three wireless capture services available:
  • packet_netmon_ (Microsoft Netmon)
  • packet_mac80211_ (Linux mac80211)
  • packet_airport_ (Mac OS X AirPort)

Capture Interface Selected for Log Decoder

The following capture service is available:

  • log_events,Log Events

To configure the network adapter on a Decoder:

  1. Go to ADMIN > Services.
  2. In the Administration Services view, select the Decoder and The actions menu > View > Config.
    The Services Config view is displayed with the General tab open.
    Top half of the Decoder Configuration section in the General tab.
  3. In the Capture Interface Selected field, select the network adapter that best suits the Decoder.
  4. To save the changes, click Apply.

  5. If necessary to put the changes into effect, navigate back up to the Administration Services view, select the Decoder, and select The actions menu > Restart.

Configure a Decoder to Begin Capturing Data Automatically

  1. Go to ADMIN > Services.
  2. In the Administration Services view, select the Decoder and The actions menu > View > Config.
    The Services Config view is displayed with the General tab open
    Top half of the Decoder Configuration section in the General tab.
  3. Under Capture Settings, select the Capture Autostart checkbox.
  4. To save the changes, click Apply.

  5. If necessary to put the changes into effect, navigate back up to the Administration Services view, select the Decoder, and select The actions menu > Restart.

Configure Optional Capture Settings

  1. Go to ADMIN > Services.

  2. In the Administration Services view, select the Decoder and The actions menu > View > Config.
    The Services Config view is displayed with the General tab open.
    Top half of the Decoder Configuration section in the General tab.
    Bottom half of the Decoder Settings section in the General tab
  3. If you want to apply a system-level filter to the packet stream before the packets are copied to the Decoder adapter for analysis, configure the Berkeley Packet Filter as described in (Optional) Configure System-Level (BPF) Packet Filtering.
  4. In the Capture Settings sections, review the default values. When a service is first added, default values are in effect and should be changed only in special circumstances, for example, if Customer Support advises a change. See Services Config View - General Tab for an explanation of these settings.
  5. In the Database Max File Sizes section, review the default values. When a service is first added, default values are in effect and should be changed only in special circumstances, for example, if Customer Support advises a change. See Services Config View - General Tab for an explanation of these settings.
  6. In the Hash section, define a directory for hash files if you are using this feature. See Services Config View - General Tab for an explanation of these settings.
You are here
Table of Contents > Configure Common Settings on a Decoder > Configure Capture Settings

Attachments

    Outcomes