forked from dreadl0ck/netcap
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnet.export.conf
167 lines (112 loc) · 3.25 KB
/
net.export.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
# NETCAP config for export tool
# Generated by NETCAP v0.5.2
# You can regenerate an up to date default configuration with:
# $ net <tool> -gen-config > net.<tool>.conf
# set address for exposing metrics
address 127.0.0.1:7777
# support streams without SYN/SYN+ACK/ACK sequence
allowmissinginit true
# select base layer
base ethernet
# supply a BPF filter to use prior to processing packets with netcap
bpf
# buffer data in memory before writing to disk
buf true
# check TCP checksum
checksum false
# reassembly: close connections that are inactive after X
close-inactive-timeout 1h0m0s
# reassembly: close connections that have pending bytes after X
close-pending-timeout 1h0m0s
# compress output with gzip
comp true
# read configuration from file at path
config
# flush connections every X flows
conn-flush-interval 0
# close connections older than X seconds
conn-timeout 0s
# add packet flow context to selected audit records
context true
# print output data as csv with header line
csv false
# display debug information
debug false
# path to directory with netcap audit records
dir
# use DPI for device profiling
dpi false
# dump as JSON
dumpJson false
# enable entropy calculation for Eth,IP,TCP and UDP payloads
entropy false
# exclude specific decoders
exclude
# path to created extracted files (currently only for HTTP)
fileStorage
# flushes flows every X flows
flow-flush-interval 0
# closes flows older than flowTimeout
flow-timeout 0s
# flush assembler every N packets
flushevery 100
# use geolocation for device profiling
geoDB false
# dump packets used in stream reassembly as hex to the reassembly.log file
hexdump false
# attach to network interface and capture in live mode
iface
# disable writing unknown packets into a pcap file
ignore-unknown false
# ignore TCP FSM errors
ignorefsmerr true
# include specific decoders
include
# list all visible network interfaces
interfaces false
# Defragment IPv4 packets
ip4defrag true
# use ja3 database for device profiling
ja3DB false
# resolve DNS locally via hosts file in the database dir
local-dns false
# enable verbose packet decoding error logging
log-errors false
# use mac to vendor database for device profiling
macDB false
# set size for membuf
membuf-size 12582912
# create memory profile
memprof false
# write memory profile
memprofile
# do not check TCP options (useful to ignore MSS on captures with TSO)
nooptcheck true
# select decoding options
opts lazy
# specify output directory, will be created if it does not exist
out
# capture payload for supported layers
payload false
# set packet buffer size, for channels that feed data to workers
pbuf 100
# toggle promiscuous mode for live capture
promisc true
# read specified file, can either be a pcap or netcap audit record file
read
# replay traffic (only works when exporting audit records directly!)
replay false
# resolve ips to domains via the operating systems default dns resolver
reverse-dns false
# use serviceDB for device profiling
serviceDB false
# configure snaplen for live capture from interface
snaplen 1514
# print netcap package version and exit
version false
# wait for all connections to finish processing before cleanup
wait-conns true
# number of workers
workers 12
# write incomplete response
writeincomplete false