Network Protocol Analyzer
Use this dialog to configure the Network Protocol Analyzer.
The Network Protocol Analyzer is used to detect ICMP messages, connections to closed ports and Native listens.
In order to operate either the WinPCap library or the Npcap library needs to be installed.
Consult the Admin Guide for more details on its installation.
Packet Capture
- Enable
If unchecked the all the Network Protocol Analyzer functionality will be disabled.
- WinPCap
This field displays the version number on the installed version of WinPCap or Npcap.
Network Interfaces To Monitor
KFSensor can monitor all network interfaces or just those specified.
- Monitor All Interfaces
If checked then KFSensor will monitor all IP supporting network interfaces it detects on start up.
If unchecked then it will only monitor the interfaces checked in the list below.
- Interfaces
List all the network interfaces detected in the machine.
If checked then the network interface will be monitored.
- Device
Displays the device name of the selected network interface.
Packet Dump
In addition to generating events in the log, KFSensor can also dump the raw network packets to an external file.
These dump files are in the industry standard LIBPCAP TCPDUMP format.
For more information on these dump files consult the
Administration guide.
- Enable Dump
Dump files will only be produced if this field is checked.
Packet filters
The following controls act as a filter on what network traffic is recorded in the dump file.
This enables dump files to be kept smaller and only record the relevant information.
If a field is unchecked then that type of packet is excluded from the dump file.
- Dump TCP
If unchecked then all TCP packets will be excluded from the dump file.
- Dump UDP
If unchecked then all UDP packets will be excluded from the dump file.
- Dump ICMP
If unchecked then all ICMP packets will be excluded from the dump file.
- Dump Incoming
If unchecked then all packets sent to the KFSensor server machine will be excluded from the dump file.
- Dump Outgoing
If unchecked then all packets sent from the KFSensor server machine will be excluded from the dump file.
- Dump Broadcasts
If unchecked then all packets sent to a broadcast address will be excluded from the dump file.
- Dump Local Initiated
If unchecked then all non-UDP packets associated with a conversation initiated from the KFSensor machine will be excluded.
For example this will exclude traffic associated with using a web browser on the KFSensor machine.
- Dump Local Initiated UDP
If unchecked then all UDP packets associated with a UDP packet initiated from the KFSensor machine will be excluded.
For example application like KFSensor use UDP to communicate with a DNS server to look up domain names. Excluding this sort of traffic significantly reduces the data size of the packet dump files.
Data storage management
- Dump Path
The path of the directory in which the dump files will be created.
If this is a relative path then it will assumed to be relative to the log directory.
The default dump path will be c:\kfsensor\dumps
- Max File Size
The maximum size in megabytes to which an individual dump file may grow.
Dump files can quickly grow very large, especially if the server is experiencing a lot of traffic.
This setting ensure that the dump files do not grow too large. If the maximum size is reached then KFSensor will stop adding data to it.
- Retention Period
Dump file will be deleted after the specified number of days.
These controls ensure that the total packet data stored by KFSensor will not exceed a maximum size.
KFSensor On-Line Manual Contents