340
edits
Capture module: Difference between revisions
→Current captures
Tom.Wegener (talk | contribs) (mention the restricted capture) |
|||
| Line 39: | Line 39: | ||
To restrict the capture possibilities of an user it is possible to choose an 'restricting profile'. This allows the administrator to stop the user from capturing other sensitive data like SIP- and RTP-Packages. | To restrict the capture possibilities of an user it is possible to choose an 'restricting profile'. This allows the administrator to stop the user from capturing other sensitive data like SIP- and RTP-Packages. | ||
==== PCAP anonymization profile ==== | |||
Anonymization profiles can be used in capture dialog to allow for quickly switch between rules to anonymize aspects of the generated PCAPs. | |||
When enabled, following options are available (more than one option is possible): | |||
* MAC addresses on L2 | |||
:MAC addresses on L2 will be replaced by random addresses octet-wise. Multicast/broadcast addresses will not be randomized. | |||
* IP addresses on L3 | |||
:IP addresses on L3 will be replaced by random addresses octet-wise for IPv4 and hextet-wise for IPv6. Multicast/broadcast addresses will not be randomized. The octets of the IP address will have the same length in textual representation (e.g. 100.20.3.40 -> 105.31.6.41). For IPv6 address short notation will be considered and the randomized result will also have the same textual length. | |||
* IP addresses on L7 | |||
:IPv4 and IPv6 addresses in textual representation in L7 payload will be randomized similar to L3. | |||
* Mapped IP addresses in STUN packets on L7 | |||
:STUN payload IP addresses will be randomized similar to L3. | |||
* Phone numbers, name and Call ID in SIP packets on L7 | |||
: SIP payload data is masked with 'xxx' values for the names and phone numbers in the fields "From", "To", "Contact", "P-Asserted-Identity". Call Ids are also replaced. IP addresses are not touched, if they shall be anonymized, please use option "IP addresses on L7". | |||
* URLs and HTTP hostnames on L7 | |||
: URLs and HTTP hostnames in L7 payload are masked with 'xxx' values. The length of the masked name/URL will stay the same and line feeds won't be touched. | |||
:: Examples: | |||
:: 'GET /website.html?param1=value HTTP/1.1\r\n' will be changed to 'GET xxxxxxxxxxxxxxxxxxxxxxxxxx HTTP/1.1\r\n' | |||
:: 'Host: allegro-packets.com\r\n' will be changed to 'Host: xxxxxxxxxxxxxxxxxxx\r\n' | |||
:: https://www.allegro-packets.com/en/ will be completely masked | |||
Within an anonymization profile it is also possible to define MAC and IP lists with entries that should be anonymized or that should be excluded from anonymization. The proper L2/L3 anonymization option must be turned on in order to have an effect! | |||
The amount of SIP phone numbers last hidden digits can be configured, e.g. with a setting of 4 last hidden digits a phone number +49123456789 becomes +4912345xxxx. | |||
==== SFTP server ==== | ==== SFTP server ==== | ||
Credentials and upload directories for a SFTP server can be configured here. They can be selected in the capture dialog later when choosing "Capture to SFTP server" as capture type. It is possible to either configure a user and password or use authentication with a public key. In the latter case, the displayed SSH public key needs to be inserted in the authorized hosts list on the SFTP server. | Credentials and upload directories for a SFTP server can be configured here. They can be selected in the capture dialog later when choosing "Capture to SFTP server" as capture type. It is possible to either configure a user and password or use authentication with a public key. In the latter case, the displayed SSH public key needs to be inserted in the authorized hosts list on the SFTP server. | ||
=== Simple capture === | === Simple capture === | ||
The second section of the capture page allow to select some fields to filter network traffic for. By default, only the IP field is visible, the other fields can be enabled by clicking on the corresponding toggle switch. Each line allows to enter a filter criterion for the corresponding network traffic element. To start the capture with the entered filter criteria just click at the '''Start capture''' button. For reference, the expert filter expression is shown at the end of the section so it can be used to copy and paste | The second section of the capture page allow to select some fields to filter network traffic for. By default, only the IP field is visible, the other fields can be enabled by clicking on the corresponding toggle switch. Each line allows to enter a filter criterion for the corresponding network traffic element. To start the capture with the entered filter criteria just click at the '''Start capture''' button. For reference, the expert filter expression is shown at the end of the section so it can be used to copy and paste | ||