Decoder: (Optional) Configure a Decoder to Capture Data Across All Types of Network Interfaces

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Oct 11, 2017
Version 5Show Document
  • View in full screen mode
 

The packet_mmap_,ALL adapter is capable of capturing across all types of network interfaces at the same time. For example, this can include things like physical network interfaces over different media types and tunnel interfaces.

The default behavior of the ALL adapter is to capture from all interfaces from the system, except for the hard-coded defaults of lo, eth0, and em1.

In NetWitness Suite 11.0, you can select any subset of the capture interfaces by editing the Decoder configuration node /decoder/config/capture.device.params to include an interfaces= parameter. The interfaces parameter contains a comma-separate list of interfaces that are used for capture. Instead of using all interfaces for capture, only the specified interfaces are used.

For example, if you want to force capture on interfaces em1, em2, and em4, and ignore em3, you can select the packet_mmap_,ALL adapter, and then add this line to capture.device.params: interfaces=em1,em2,em4

Note: Using the interfaces parameter to select eth0, lo, or em1 overrides the default behavior, which is to drop traffic from those ports.

To configure the packet_mmap_,ALL adapter to capture from specific interfaces instead of all interfaces:

  1. In the Administration Services view, select the Decoder service and The actions menu > View > Config.
  2. In the Services Config view, set Capture Interface Selected to packet_mmap_,ALL adapter.
    This is an example of a Config Value drop-down.
  3. To go to the Services Explore view, click Config in the toolbar and select Explore in the drop-down list.
  4. In the Services Explore view, select decoder > config.
    This is an example of the Explore view with decoder > config selected.
  5. Click in the values column next to capture.device.params, type interfaces=em1,em2,em4, and press Enter.
    This is an example of the Explore view after changes.
    The change goes into effect immediately; only traffic on em1, em2, and em4 interfaces is captured.
You are here
Table of Contents > Configure Common Settings on a Decoder > Configure Capture Settings > (Optional) Configure a Decoder to Capture Data Across All Types of Network Interfaces

Attachments

    Outcomes