Selective Packet CaptureΒΆ
Selective packet capture is the targeted capturing of specific network packets based on predefined criteria, such as source/destination IP addresses, port numbers, or protocol types. Rather than capturing all traffic, this method helps conserve storage space and allows for focused analysis on packets relevant to troubleshooting, security monitoring, or network performance analysis.
User capture rules are configured directly in psql in the Plixer Scrutinizer reporter.
Important
Use minimal matching criteria for rules in a high-volume environment.
-- Example 1
INSERT INTO flowpro.nids_rules
(source_ip, destination_ip, protocol, source_port, destination_port, sid, msg)
VALUES
('1.1.1.1', '192.168.1.10', 'UDP', '53', 'any', '2000001', 'Dns Response from 1.1.1.1');
-- Example 2
INSERT INTO flowpro.nids_rules
(source_ip, destination_ip, protocol, source_port, destination_port, sid, msg)
VALUES
('192.168.1.10', '1.1.1.1', 'UDP', 'any', '53', '2000002', ' DNS query detected');
-- Example 3
INSERT INTO flowpro.nids_rules
(source_ip, destination_ip, protocol, source_port, destination_port, sid, msg)
VALUES
('1.1.1.1', '192.168.1.10', 'TCP', '2022', '2022', '2000003', 'Potential encrypted tunneling detected');
-- Example 4
INSERT INTO flowpro.nids_rules
(source_ip, destination_ip, protocol, source_port, destination_port, sid)
VALUES
('1.1.1.1', '192.168.1.10', 'ICMP', 'NA', 'NA', '2000004');
-- Note: For protocols like ICMP, the concept of "ports" does not apply. Thus, 'NA' should be used.