Packet Capture
The Device42 Packet Capture tool enables packet capture as a means of discovery. Packet capture discovers service communication happening in real-time for any service listeners known to Device42, letting you discover service communications that are too infrequent for scheduled discovery jobs to catch.
Device42 packet capture supports both individual and promiscuous interfaces, giving you the flexibility to deploy and use packet capture in the way that makes the most sense for your IT environment.
Prerequisites
You need the following to use the Device42 Packet Capture tool:
- A Device42 Main Appliance (MA).
- Network communication allowed from the machine you'll be capturing packets on to your Device42 MA.
- An active network adapter connected to the target traffic capture network.
- A packet capture library installed on your operating system:
- On Windows, use a WinPcap-compatible library like Npcap. Be sure to select the Install in API-Compatible mode option during setup.
- On Linux, use
libpcap.
You can optionally enable promiscuous mode (also known as monitor mode) for the network or the interface of interest.
Watch the Intro to Packet Capture video for a quick overview of how to set up and use packet capture with Device42.
Configure Packet Capture
-
Download the compressed
d42-packet-capture.ziputility file and extract the contents to a directory of your choice. -
Place the
d42pcap.jsonconfig file into the directory with the utility. -
On Linux, create a symlink for
libpcapas required by the application, which searches for the filenamelibpcap.so.1:sudo ln -s /usr/lib/x86_64-linux-gnu/libpcap.so.1.8.1 /usr/lib/x86_64-linux-gnu/libpcap.so.1On Windows, no extra configuration is needed.
-
Configure the utility by editing the
d42pcap.jsonfile. At minimum, configure the following sections to run the Packet Capture utility:- Point the utility at your Device42 instance by entering its IP address, username, and password in the
device42section of the config file. Save the file. - Enter the name of your capture interface in the
deviceproperty of thepcapsection. Use the name as shown underipconfigon Windows orifconfigon Linux. For example,ens32. - Adjust the
intervalproperty of thecommonsection. The default is to relay 60-second chunks of capture data to Device42 to avoid overwhelming the MA, especially if filtering isn't used or you're capturing traffic from many devices.
- Point the utility at your Device42 instance by entering its IP address, username, and password in the
-
Optionally install the utility to run as a Windows or Linux service. See the Install Packet Capture as a System Service section.
Run the Packet Capture Utility
- Ensure all Prerequisites are met.
- Configure the utility as described in the Configure Packet Capture section above.
- Execute the utility by running:
- Windows:
c:\> d42pcap.exe - Linux:
$ sudo ./d42pcap_linux_64
- Windows:
- Optionally configure the following runtime parameters:
| Parameter | Description |
|---|---|
list-devices | Lists all network adapters on the host |
version | Prints the version of the utility |
logs-dir | Overrides the directory to which log files are written |
settings-dir | The directory containing the utility's JSON configuration file |
settings-name | The name of the utility's JSON configuration file |
debug | Turns on debug logging |
install-win-service | Installs the utility as a Windows service (Windows executable only) |
remove-win-service | Removes the utility from the installed Windows services (Windows executable only) |
Configuration File Definitions
The configuration file contains the following sections:
| Section | Description |
|---|---|
device42 | Contains settings required to interact with Device42. |
common | Contains common application settings. |
pcap | Contains settings that affect how raw network packets are handled. |
capture | Settings that affect Device42 NetFlow and Packet Capture engine event processing. This section is intended for Device42 support. |
Device42 Configuration
| Property | Description | Required |
|---|---|---|
Host | Base URL of the Device42 website | Yes |
User | Username | Yes |
Password | Password | Yes |
Common Configuration
| Property | Description | Required |
|---|---|---|
Interval | The number of seconds to collect network events before sending to Device42 | Yes |
logs-dir | The directory to which log files are written | No |
PCAP Configuration
| Property | Description | Required |
|---|---|---|
Device | Specify network capture interface | Yes |
include-source-tcp-ports | TCP source ports to include | No |
include-destination-tcp-ports | TCP destination ports to include | No |
include-source-udp-ports | UDP source ports to include | No |
include-destination-udp-ports | UDP destination ports to include | No |
include-source-tcp-ips | TCP source IPs to include | No |
include-dest-tcp-ips | TCP destination IPs to include | No |
include-source-udp-ips | UDP source IPs to include | No |
include-dest-udp-ips | UDP destination IPs to include | No |
ignore-tcp | Ignore all TCP network events | No |
ignore-udp | Ignore all UDP network events | No |
promiscuous-mode | true captures all packets passed and received rather than just host packets | Yes |
sniff-timeout | Duration in nanoseconds to wait for network events to be read (default: 2) | Yes |
snap-length | Length of raw network packets to collect (default: 1600) | Yes |
Capture Configuration
| Property | Description | Required |
|---|---|---|
live-entries | Display live entries | No |
live-entries-ok | Display OK live entries | No |
live-entries-nok | Display NOK live entries | No |
print-data | Print data | No |
ignore-ips | Ignored IPs | No |
ignore-ports | Ignored ports | No |
pass-to | Reserved for Device42 use | No |
default-protocol | Reserved for Device42 use | No |
only-stats | Reserved for Device42 use | No |
report-any-ip | Reserved for Device42 use | No |
report-src-ip | Reserved for Device42 use | No |
report-dst-ip | Reserved for Device42 use | No |
unprocessed-packets | Reserved for Device42 use | No |
Install Packet Capture as a System Service
You can install the Packet Capture utility to run as a system service on Windows or Linux.
On Windows:
Execute with the install-win-service flag:
C:\> d42pcap -install-win-service
On Linux:
-
Create a service file in the
/etc/systemd/systemdirectory:[Unit]
Description=Device42 Packet Capture Utility
[Service]
PIDFile=/tmp/d42pcap.pid
User=root
Group=root
WorkingDirectory=/usr/bin
ExecStart=/usr/bin/d42pcap
Restart=always
[Install]
WantedBy=multi-user.target -
Enable and start the service:
sudo systemctl enable d42pcap.service
sudo systemctl start d42pcap.service