forked from dreadl0ck/netcap
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnet.agent.conf
149 lines (100 loc) · 2.77 KB
/
net.agent.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# NETCAP config for agent tool
# Generated by NETCAP v0.5.2
# You can regenerate an up to date default configuration with:
# $ net <tool> -gen-config > net.<tool>.conf
# specify the address and port of the collection server
addr 127.0.0.1:1335
# support streams without SYN/SYN+ACK/ACK sequence
allowmissinginit true
# select base layer
base ethernet
# supply a BPF filter to use for netcap collection
bpf
# chunk size for internal data channels
chan-size 1024
# check TCP checksum
checksum false
# reassembly: close connections that are inactive after X
close-inactive-timeout 1h0m0s
# reassembly: close connections that have pending bytes after X
close-pending-timeout 1h0m0s
# read configuration from file at path
config
# flush connections every X flows
conn-flush-interval 0
# close connections older than X seconds
conn-timeout 0s
# add packet flow context to selected audit records
context true
# display debug information
debug false
# show all available decoders
decoders false
# use DPI for device profiling
dpi false
# enable entropy calculation for Eth,IP,TCP and UDP payloads
entropy false
# exclude specific decoders
exclude
# path to created extracted files (currently only for HTTP)
fileStorage
# flushes flows every X flows
flow-flush-interval 0
# closes flows older than flowTimeout
flow-timeout 0s
# flush assembler every N packets
flushevery 100
# use geolocation for device profiling
geoDB false
# dump packets used in stream reassembly as hex to the reassembly.log file
hexdump false
# interface
iface en0
# ignore TCP FSM errors
ignorefsmerr true
# include specific decoders
include
# list all visible network interfaces
interfaces false
# Defragment IPv4 packets
ip4defrag true
# use ja3 database for device profiling
ja3DB false
# resolve DNS locally via hosts file in the database dir
local-dns false
# enable verbose packet decoding error logging
log-errors false
# use mac to vendor database for device profiling
macDB false
# max size of packet
max 10240
# set size for membuf
membuf-size 12582912
# write memory profile
memprofile
# do not check TCP options (useful to ignore MSS on captures with TSO)
nooptcheck true
# select decoding options
opts lazy
# capture payload for supported layers
payload false
# set packet buffer size
pbuf 0
# capture live in promisc mode
promisc true
# path to the hex encoded server public key on disk
pubkey
# resolve ips to domains via the operating systems default dns resolver
reverse-dns false
# use serviceDB for device profiling
serviceDB false
# configure snaplen for live capture
snaplen 1514
# print netcap package version and exit
version false
# wait for all connections to finish processing before cleanup
wait-conns true
# number of workers
workers 12
# write incomplete response
writeincomplete false