(Optional) Configure a Decoder to Capture Data Across All Types of Network Interfaces

The packet_mmap_,ALL adapter is capable of capturing across all types of network interfaces at the same time. For example, this can include things like physical network interfaces over different media types and tunnel interfaces.

The default behavior of the ALL adapter is to capture from all interfaces from the system, except for the hard-coded defaults of lo, eth0, and em1.

You can select any subset of the capture interfaces by editing the Decoder configuration node /decoder/config/capture.device.params to include an interfaces= parameter. The interfaces parameter contains a comma-separate list of interfaces that are used for capture. Instead of using all interfaces for capture, only the specified interfaces are used.

For example, if you want to force capture on interfaces em1, em2, and em4, and ignore em3, you can select the packet_mmap_,ALL adapter, and then add this line to capture.device.params: interfaces=em1,em2,em4

Note: Decoder automatically performs decapsulation of Virtual Extensible LAN (VXLAN) protocol from network traffic on UDP-4789 so that parsing can take place on the decapsulated Ethernet frames. During the decapsulation, the VXLAN ID is extracted and stored in the VXLAN meta key. By default, the VXLAN ID extraction is enabled. To disable, navigate to the VlanGre parser in the Parser Configuration settings. Click the drop-down list for vlan in the Config Value column and select Disabled. Each parser is configurable in the Services Config View - General Tab. The Parser Configuration panel provides a way to enable or disable parsers to use on Decoders in addition to limiting the metadata that the parser creates.

Note: Using the interfaces parameter to select eth0, lo, or em1 overrides the default behavior, which is to drop traffic from those ports.

To configure the packet_mmap_,ALL adapter to capture from specific interfaces instead of all interfaces:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services, select the Decoder service and netwitness_ic-actns.png> View > Config.
  2. In the Services Config view, set Capture Interface Selected to packet_mmap_,ALL adapter.

    netwitness_12.1_capint21_1122.png
  3. Click Apply, and then restart the Decoder service.
  4. Go to netwitness_adminicon_25x22.png (Admin) > Services, select the Decoder service, and click netwitness_ic-actns.png​ > Config > Explore.
  5. In the Services Explore view, select decoder > config.
    netwitness_12.1_expcon21_1122.png
  6. Click in the values column next to capture.device.params, type interfaces=em1,em2,em4, and press Enter.
    netwitness_12.1_expcon22_1122.png
    The change goes into effect immediately; only traffic on em1, em2, and em4 interfaces is captured.