This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Filter/Rules for appliance capturing on multiple interfaces

Go to solution
AdamRasnick
Beginner
Beginner

‎2014-01-22 01:54 PM

Hey all, I am working with a customer who have a fairly large deployment and we are setting up filters for multiple interfaces on the device...but I am beginning to think its not possible.

 

For example, we started off just applying a BPF filter...but that filter will only apply to the current interface being captured.  We dont want to use the filter on all interfaces.  Then we looked at Network and APP rules...but if we go that way, is it possible to specify the interface (em1, eth0...)? 

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-01-23 06:13 PM

Hi Adam, long time no talk.

 

You can only capture on a single interface or all interfaces, and there is no mechanism within NW/SA for including the  interface in your filter if you're capturing on all interfaces.  If that's a strong requirement, you probably need to look at doing the filtering before the traffic gets to NW... i.e. if there's an aggregation device feeding into the decoder.

View solution in original post

0 Likes
3 REPLIES 3

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-01-23 06:13 PM

Hi Adam, long time no talk.

 

You can only capture on a single interface or all interfaces, and there is no mechanism within NW/SA for including the  interface in your filter if you're capturing on all interfaces.  If that's a strong requirement, you probably need to look at doing the filtering before the traffic gets to NW... i.e. if there's an aggregation device feeding into the decoder.

0 Likes

Go to solution
huanzhou1
Beginner
Beginner

‎2014-01-24 08:15 AM

for filter on the different interfaces, better do at tap level or mirror port level.

in SA, BPF applies to the interface you selected, no separated BPF for different interfaces. Please node BPF these is length limitation, we had case with support already few weeks but no one knows what's the supported lenght.

 

To decide what you need to filter, you can collect all the traffic, then run some reports to determine.

0 Likes

Go to solution
AdamRasnick
Beginner
Beginner
In response to RSAAdmin

‎2014-02-04 03:08 PM

Hey Doug! Long time no talk to! 

 

Yeah thats kind of what I had discovered.  Havent ever needed to capture on multiple, just something a customer had brought up and thought id throw it out to the rest of the www for input.  We modified a BPF and think we can go with just the one rule we have to get what he wants.  But at least i have more than myself that agrees Hope all is well!!

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.