forked from dreadl0ck/netcap
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnet.capture.conf
236 lines (158 loc) · 4.56 KB
/
net.capture.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
# NETCAP config for capture tool
# Generated by NETCAP v0.5.2
# You can regenerate an up to date default configuration with:
# $ net <tool> -gen-config > net.<tool>.conf
# support streams without SYN/SYN+ACK/ACK sequence
allowmissinginit true
# select base layer
base ethernet
# supply a BPF filter to use prior to processing packets with netcap
bpf
# size of the stored service banners in bytes
bsize 512
# buffer data in memory before writing to disk
buf true
# check TCP checksum
checksum false
# reassembly: close connections that are inactive
close-inactive-timeout 1h0m0s
# reassembly: close connections that have pending bytes
close-pending-timeout 1h0m0s
# compress output with gzip
comp true
# read configuration from file at path
config
# flush connections every X flows
conn-flush-interval 0
# close connections older than X seconds
conn-timeout 0s
# save raw TCP connections
conns false
# add packet flow context to selected audit records
context true
# create cpu profile
cpuprof false
# output data as CSV
csv false
# display debug information
debug false
# show all available decoders
decoders false
# use DPI for device profiling
dpi false
# write data to elastic db
elastic false
# elastic db endpoints to write data to
elastic-addrs
# elastic bulk size for custom audit records
elastic-bulk-custom 1000
# elastic bulk size for gopacket audit records
elastic-bulk-gopacket 2000
# elastic db password
elastic-pass
# elastic db username
elastic-user
# enable entropy calculation for Eth,IP,TCP and UDP payloads
entropy false
# exclude specific decoders
exclude
# path to created extracted files (currently only for HTTP)
fileStorage
# flushes flows every X flows
flow-flush-interval 0
# closes flows older than flowTimeout
flow-timeout 0s
# flush assembler every N packets
flushevery 100
# free OS memory every X minutes, disabled if set to 0
free-os-mem 0
# generate elastic indices and mapping
gen-elastic-indices false
# use geolocation for device profiling
geoDB false
# size of the data passed to the credential harvesters in bytes
hbsize 512
# dump packets used in stream reassembly as hex to the reassembly.log file
hexdump false
# attach to network interface and capture in live mode
iface
# disable writing unknown packets into a pcap file
ignore-unknown true
# ignore TCP FSM errors
ignorefsmerr true
# include specific decoders
include
# list all visible network interfaces
interfaces false
# Defragment IPv4 packets
ip4defrag true
# use ja3 database for device profiling
ja3DB true
# output data as JSON
json false
# kibana endpoint URL
kibana
# resolve DNS locally via hosts file in the database dir
local-dns false
# enable verbose packet decoding error logging
log-errors false
# use mac to vendor database for device profiling
macDB true
# set size for membuf
membuf-size 12582912
# create memory profile
memprof false
# write memory profile
memprofile
# do not check TCP options (useful to ignore MSS on captures with TSO)
nooptcheck true
# write no data to disk
null false
# select decoding options
opts datagrams
# specify output directory, will be created if it does not exist
out
# print a list of all available decoders and fields
overview false
# capture payload for supported layers
payload false
# set packet buffer size, for channels that feed data to workers
pbuf 100
# toggle promiscuous mode for live capture
promisc true
# output data as protobuf
proto true
# don't print infos to stdout
quiet false
# if true uses the default golang re2 regex engine for service detection
re2 true
# possibility of passing a custom regex for harvesting credentials
reCustom
# read specified file, can either be a pcap or netcap audit record file
read
# reassemble TCP connections
reassemble-connections true
# if true, the reassembly will log verbose debugging information
reassembly-debug false
# resolve ips to domains via the operating systems default dns resolver
reverse-dns false
# size for channel used to pass data to the stream decoders. default is unbuffered
sbuf-size 0
# use serviceDB for device profiling
serviceDB true
# configure snaplen for live capture from interface
snaplen 1514
# stop processing the conversation after the first harvester returned a result
stop-after-harvester-match true
# add debug output for TCP connections to debug.log
tcp-debug false
# print processing time even in quiet mode
time false
# print netcap package version and exit
version false
# wait for all connections to finish processing before cleanup
wait-conns true
# number of workers
workers 12
# write incomplete response
writeincomplete false