The packet_mmap_,ALL adapter is capable of capturing across all types of network interfaces at the same time. For example, this can include things like physical network interfaces over different media types and tunnel interfaces.
The default behavior of the ALL adapter is to capture from all interfaces from the system, except for the hard-coded defaults of lo, eth0, and em1.
In NetWitness Suite 11.0, you can select any subset of the capture interfaces by editing the Decoder configuration node /decoder/config/capture.device.params to include an interfaces= parameter. The interfaces parameter contains a comma-separate list of interfaces that are used for capture. Instead of using all interfaces for capture, only the specified interfaces are used.
For example, if you want to force capture on interfaces em1, em2, and em4, and ignore em3, you can select the packet_mmap_,ALL adapter, and then add this line to capture.device.params: interfaces=em1,em2,em4
To configure the packet_mmap_,ALL adapter to capture from specific interfaces instead of all interfaces:
- In the Administration Services view, select the Decoder service and > View > Config.
- In the Services Config view, set Capture Interface Selected to packet_mmap_,ALL adapter.
- To go to the Services Explore view, click Config in the toolbar and select Explore in the drop-down list.
- In the Services Explore view, select decoder > config.
- Click in the values column next to capture.device.params, type interfaces=em1,em2,em4, and press Enter.
The change goes into effect immediately; only traffic on em1, em2, and em4 interfaces is captured.