Selective Packet Capture

Selective packet capture is the targeted capturing of specific network packets based on predefined criteria, such as source/destination IP addresses, port numbers, or protocol types. Rather than capturing all traffic, this method helps conserve storage space and allows for focused analysis on packets relevant to troubleshooting, security monitoring, or network performance analysis.

User capture rules are configured directly in psql in the Plixer Scrutinizer reporter.

Important

Use minimal matching criteria for rules in a high-volume environment.

-- Example 1
INSERT INTO flowpro.nids_rules
(source_ip, destination_ip, protocol, source_port, destination_port, sid, msg)
VALUES
('1.1.1.1', '192.168.1.10', 'UDP', '53', 'any', '2000001', 'Dns Response from 1.1.1.1');

-- Example 2
INSERT INTO flowpro.nids_rules
(source_ip, destination_ip, protocol, source_port, destination_port, sid, msg)
VALUES
('192.168.1.10', '1.1.1.1', 'UDP', 'any', '53', '2000002', ' DNS query detected');

-- Example 3
INSERT INTO flowpro.nids_rules
(source_ip, destination_ip, protocol, source_port, destination_port, sid, msg)
VALUES
('1.1.1.1', '192.168.1.10', 'TCP', '2022', '2022', '2000003', 'Potential encrypted tunneling detected');

-- Example 4
INSERT INTO flowpro.nids_rules
(source_ip, destination_ip, protocol, source_port, destination_port, sid)
VALUES
('1.1.1.1', '192.168.1.10', 'ICMP', 'NA', 'NA', '2000004');

-- Note: For protocols like ICMP, the concept of "ports" does not apply. Thus, 'NA' should be used.

Downloading PCAP from Plixer Scrutinizer

PCAP downloads from the Plixer Scrutinizer Alarm Monitor are redirected to the Plixer FlowPro appliance.

If you haven’t added a signed certificate to the Plixer FlowPro appliance, you’ll need to add an exception for the self-signed certificate in each end-user browser. To do this, navigate to https://<flowproIP>:8080, and then accept the security exception.