Configure Capture Settings

When initially setting up the Decoder, configuring the network adapter interface is required. Additional optional capture settings are available; two that are frequently used are the Berkeley Packet Filter, and Capture Autostart.

netwitness_deccfgwf-cfgcapstg.png

Besides the basic network adapter interface setup, you may decide to use one of the special-purpose configurations described in (Optional) Preserve VLAN Tags When Using the Packet MMAP Capture Interface or (Optional) Configure a Decoder to Capture Data Across All Types of Network Interfaces

The rest of the capture settings have default values chosen to be effective in most cases (see a detailed list in Services Config View - General Tab). You can adjust these in some circumstances, for example, if Customer Support advises a change. You can edit the capture settings at any time.

Select a Network Adapter

The table below describes the Network Adapter settings for a Decoder. The system administrator sets the default network adapters when the Decoder is installed. Consult your System Administrator for more information.

Adapter Parameter Description
Berkeley Packet Filter Berkeley Packet Filters (BPF) are applied to the packet stream before the packets are copied to the Decoder adapter for analysis. This allows unwanted traffic to be efficiently discarded. However, any packets discarded are not accounted for in any Decoder statistics (capture rate, packets dropped, and packets filtered and total packets).
Capture Interface Selected Select an adapter through which the Decoder captures packets. For the lower speed internal capture interface, use the packet_mmap_,7,eth1 adapter, which corresponds to the monitor port located on the motherboard. There are six additional capture ports:
  • packet_mmap_,1,lo (bpf)
  • packet_mmap_,2,eth2 (bpf)
  • packet_mmap_,3,eth3 (bpf)
  • packet_mmap_,4,eth4 (bpf)
  • packet_mmap_,5,eth5 (bpf)
  • packet_mmap_,8,ALL (bpf)
There are three wireless capture services available:
  • packet_netmon_ (Microsoft Netmon)
  • packet_mac80211_ (Linux mac80211)
  • packet_airport_ (Mac OS X AirPort)

Capture Interface Selected for Log Decoder

The following capture service is available:

  • log_events,Log Events

To configure the network adapter on a Decoder:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.

  2. In the Administration Services view, select the Decoder and netwitness_ic-actns.png> View > Config.

    The Services Config view is displayed with the General tab open.

    netwitness_deccon16.png

  3. In the Capture Interface Selected field, select the network adapter that best suits the Decoder.
  4. To save the changes, click Apply.
  5. If necessary to put the changes into effect, navigate back up to the Administration Services view, select the Decoder, and select netwitness_ic-actns.png > Restart.

Configure a Decoder to Begin Capturing Data Automatically

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.

  2. In the Administration Services view, select the Decoder and netwitness_ic-actns.png> View > Config.

    The Services Config view is displayed with the General tab open.

    netwitness_deccon16.png

  3. Under Capture Settings, select the Capture Autostart checkbox.
  4. To save the changes, click Apply.
  5. If necessary to put the changes into effect, navigate back up to the Administration Services view, select the Decoder, and select netwitness_ic-actns.png > Restart.

Configure Optional Capture Settings

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.

  2. In the Administration Services view, select the Decoder and netwitness_ic-actns.png> View > Config.

    The Services Config view is displayed with the General tab open.

    netwitness_decconf16.png

  3. If you want to apply a system-level filter to the packet stream before the packets are copied to the Decoder adapter for analysis, configure the Berkeley Packet Filter as described in (Optional) Configure System-Level (BPF) Packet Filtering.
  4. In the Capture Settings sections, review the default values. When a service is first added, default values are in effect and should be changed only in special circumstances, for example, if Customer Support advises a change. See Services Config View - General Tab for an explanation of these settings.
  5. In the Database Max File Sizes section, review the default values. When a service is first added, default values are in effect and should be changed only in special circumstances, for example, if Customer Support advises a change. See Services Config View - General Tab for an explanation of these settings.
  6. In the Hash section, define a directory for hash files if you are using this feature. See Services Config View - General Tab for an explanation of these settings.