...
Btcap Config File Overview
(In progress...)
Btcap config file has the same format as SR140 call control file. It consists of sections. Section names can be anything in square brackets. Each section configures one capture session. btcap_start() API (described earlier) takes both config file path and section name as arguments.
...
capture_ip
: IPv4 or IPv6 address of local a network interface, defining the capture point for this session. Example: capture_ip = 192.168.5.111
. This parameter cannot be missing or empty, there is not default value.
peer_ip_include
: We DO capture Capture traffic between these IP addresses and our the address specified in capture_ip
. The value is a comma-separated list. Example: peer_ip_include
Each item in the list is an IP address or a subnet. The asterisk symbol '*' is used to depict subnets. Example: peer_ip
= 192.168.5.112*, 192.168.5.113
peer_ip_exclude
: We IGNORE traffic between these IP addresses and our capture_ip. The value is a comma-separated list. Example: peer_ip_exclude = 192.168.5.*
. Note: Multicast addresses are always excluded.
tcp_packets
: Capture TCP packets. Example: tcp_packets = 1
udp_packets
: Capture UDPP packets. Example: udp7.118
. There is also a special value, * , depicting ANY IP address. Default value is *. This parameter cannot be empty. If it is missing, the default value will be assigned.
tcp_packets
: Boolean parameter instructing the tool whether to capture TCP packets (value of 1) or not (value of 0). Default value is 0. NOTE: UDP packets are always captured. Example: tcp_packets = 1
local_port_include
: We DO capture traffic Capture packets on these ports on capture_ip interface (local ports). The Default value is *, instructing the system to capture from any local port. This parameter cannot be empty. The value is a comma-separated list. ExampleItems in the list are either individual port numbers or intervals. Example: local_port_include = 1983, 1984, 2010-2025
local_port_exclude
: We IGNORE traffic on these local ports. Exclude specified local ports even if they are to be included in local_port_include
. Default value is empty. The value is a comma-separated list. Items in the list are either individual port numbers or intervals. Example: local_port_exclude = 1980,11908,9898
remote_port_include
: We DO capture traffic on Capture packets to/from these remote ports. Default value is *, instructing the system to capture any remote port. This parameter cannot be empty. The value is a comma-separated list. Example: remote_port_Items in the list are either individual port numbers or intervals. Example: remote_port_include = 1983, 1984, 2010-2025
remote_port_exclude
: We IGNORE traffic on these remote ports. Exclude specified remote ports even if they are to be included in remote_port_include
. Default value is empty. The value is a comma-separated list. Items in the list . Exampleare either individual port numbers or intervals. Example: remote_port_exclude = 1980,11908,9898
...
max_result_file_size
: Max pcapng file size before it roll overthe new file is started. Example: max_result_file_size = 55555
max_number_of_result_files
: Max number of pcapng files to be created before the system starts to delete oldest files. Example: max_number_of_result_files
= 100
More parameters will be added as necessary.
...
Below is a list of questions to be addressed as a result of this requirements document:
Question | Outcome |
---|---|
Are packets going to be captured even if they are blocked by a firewall active on the same host? We know Wireshark captures them anyway. We ideally want the same result. Based on the research, that should automatically be the case because of the technologies we used. But need to test explicitly with our code. | |