Profile

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.

====== Configuring local record PCAP, Clickstream, SIP ======
{{indexmenu_n>2}}
The system allows to record the traffic for selected protocols in PCAP format. It can save also metadata of HTTP requests, SIP, FTP in log files.

====== PCAP ======
To start recording IP or CIDR traffic (0.0.0.0/0 - to record all traffic)
<code bash>
ajb_save_ip=192.168.0.0/24
</code>
This is a "hot" parameter, so this list can be changed with the command: **service fastdpi reload**

<note important>''ajb_save_ip'' works independently of the subscriber on the input itself and writes all subscriber traffic before services and policing were applied to it.</note>

If you set the configuration parameter
<code bash>
ajb_reserved=1
</code>
the memory for the record buffer is allocated in advance (at DPI start) and you can start and stop data recording on the run. You only need to change parameters ajb_save_url, ajb_save_udpi and ajb_save_ip.

To record the data in PCAP format: please use the following parameters in configuration file **///etc/dpi/fastdpi.conf//**:
<code bash>
ajb_save_udpi=1
ajb_save_udpi_proto=OSPFIGP:ospf-lite
ajb_udpi_path=/var/dump/dpi
</code>
Here:
  * //ajb_save_udpi=1// - activate the traffic recording for a list of protocols\\
  * //ajb_udpi_path=/var/dump/dpi// - is a directory to place log files (/var/dump/dpi by default)\\
  * //ajb_save_udpi_proto=OSPFIGP:ospf-lite// - is a list of protocols to record [[en:dpi:dpi_options:opt_statistics:statistics_info|as test or numerical identificators]]. This is a hot parameter. It can be changed on the run by command **service fastdpi reload**.\\

<note important>You can also activate service 12 (traffic recording) [[en:dpi:dpi_options:opt_li:li_ctrl|individually for each subscriber]].</note>

PCAP files index mask
  * 0 - not created
  * 1 - via IPv4
  * 2 - via IPv6
  * 3 - via both IPv4 and IPv6.

<code bash>
ajb_pcap_ind_mask=0 // not created
ajb_pcap_ind_mask=1 // via IPv4
ajb_pcap_ind_mask=2 // via IPv6
ajb_pcap_ind_mask=3 // via both IPv4 and IPv6
</code>

This is a hot parameter. It can be changed on the run by command **service fastdpi reload**.

====== HTTP ======
To record HTTP requests' metadata: please use the following parameters in configuration file **///etc/dpi/fastdpi.conf//**:
<code bash>
ajb_save_url=-1
ajb_save_url_format=ts:prg:login:ipsrc:ipdst:host:path:ref:uagent:cookie:tphost:blockd:method
ajb_url_path=/var/dump/dpi
ajb_url_ftimeout=30
</code>
Here:
  * //ajb_save_url=-1// - activate recording of HTTP metadata
  * //ajb_url_path=/var/dump/dpi// - is the directory to place files with these records (/var/dump/dpi by default)
  * //ajb_url_ftimeout=30// - recording frequency
  * //ajb_save_url_format=ts:prg:login:ipsrc:ipdst:host:path:ref:uagent:cookie:tphost:blockd:method// - is the list of metadata to record:
    * //ts// - timestamp\\
    * //prg// - id of currently active services\\
    * //login// - subscriber's login\\
    * //ipsrc// - IP address of the request source (subscriber)\\
    * //ipdst// - IP address of the request recipient (host)\\
    * //host// - host name (field Host/CNAME/SNI/QUIC)\\
    * //path// - path to the requested resource (URI) on the host\\
    * //ref// - referral source (Referer field)\\
    * //uagent// - browser type (User-Agent field)\\
    * //cookie// - cookies (Cookie field)\\
    * //ssid// - session identifier (for connection with Netflow/IPFIX volume data)\\
    * //tphost// - data type in the Host field (HTTP=1/CNAME=2/SNI=3/QUIC=4)\\
    * //blockd// - bit mask, blocking/redirect sign (0x3 - for HTTP, 0x1 - for the rest)\\
    * //method// - method 1 - GET, 2 - POST, 3 - PUT, 4 - DELETE (the field is available from version 6.0)

====== SSL/TLS ======
To record SSL/TLS requests' metadata: please use the following parameters in configuration file **///etc/dpi/fastdpi.conf//**:
<code bash>
ajb_save_ssl=-1
</code>
Here flag mask for saving SSL:\\
  * 0 - not saved
  * 1 - sni (SSL)
  * 2 - cname
  * 3 - sni (QUIC)

-1 - to record everything
<code bash>ajb_save_ssl_format=ts:prg:login:ipsrc:ipdst:host:tphost:blockd:method
ajb_ssl_path=/var/dump/dpi
ajb_ssl_ftimeout=30</code>
Here:
  * //ajb_save_ssl=-1// - enable SSL/TLS metadata recording\\
  * //ajb_ssl_path=/var/dump/dpi// - the location of the files with the record (by default /var/dump/dpi)\\
  * //ajb_ssl_ftimeout=30// - recording frequency\\
  * //ajb_save_ssl_format=ts:prg:login:ipsrc:ipdst:host:path:ref:uagent:cookie:tphost:blockd:method// - list of metadata to write, where\\
    * //ts// - timestamp\\
    * //prg// - id of currently active services\\
    * //login// - subscriber's login\\
    * //ipsrc// - IP address of the request source (subscriber)\\
    * //ipdst// - IP address of the request recipient (host)\\
    * //host// - host name (field Host/CNAME/SNI/QUIC)\\
    * //path// - path to the requested resource (URI) on the host (where applicable)\\
    * //ref// - referral source (Referer field) (where it is applicable)\\
    * //uagent// - browser type (User-Agent field)(where it is applicable)\\
    * //cookie// - cookies (Cookie field) (where it is applicable)\\
    * //ssid// - session identifier (for connection with Netflow/IPFIX volume data)\\
    * //tphost// - data type in the Host field (HTTP=1/CNAME=2/SNI=3/QUIC=4)\\
    * //blockd// - bit mask, blocking/redirect sign (0x3 - for HTTP, 0x1 - for the rest)\\
    * //method// - method 1 - GET, 2 - POST, 3 - PUT, 4 - DELETE (the field is available from version 6.0) (where it is applicable)
</code>

====== SIP ======

To record SIP requests' metadata: please use the following parameters in configuration file **///etc/dpi/fastdpi.conf//**:
<code bash>
ajb_save_sip=1
ajb_sip_ftimeout=15
ajb_sip_path=/home/sip
ajb_save_sip_format=ts:ssid:ipsrc:ipdst:login:msg:scode:from:to:callid:uagent
</code>
Here: 
  * //ajb_save_sip=1// - enable writing SIP metadata\\
  * //ajb_sip_path==/home/sip// - the location of the files with the record (by default /var/dump/dpi)\\
  * //ajb_sip_ftimeout=15// - recording frequency\\
  * //ajb_save_sip_format=ts:ssid:ipsrc:ipdst:login:msg:scode:from:to:callid:uagent// - list of metadata to write, where\\
    * //ts// - timestamp\\
    * //ssid// - session identifier (for connection with Netflow/IPFIX volume data)\\
    * //ipsrc// - subscriber's IP\\
    * //ipdst// - Server IP\\
    * //login// - subscriber's LOGIN\\
    * //msg// - message type\\
    * //scode// - status code \\
    * //from// - number/id of the caller\\
    * //to// - number/identifier of the callee\\
    * //callid// - call identifier\\
    * //uagent// - type of subscriber device (User-Agent)

xxxxxxxxxx
 
====== Configuring local record PCAP, Clickstream, SIP ======{{indexmenu_n>2}}The system allows to record the traffic for selected protocols in PCAP format. It can save also metadata of HTTP requests, SIP, FTP in log files.​====== PCAP ======To start recording IP or CIDR traffic (0.0.0.0/0 - to record all traffic)<code bash>ajb_save_ip=192.168.0.0/24</code>This is a "hot" parameter, so this list can be changed with the command: **service fastdpi reload**​<note important>''ajb_save_ip'' works independently of the subscriber on the input itself and writes all subscriber traffic before services and policing were applied to it.</note>​If you set the configuration parameter<code bash>ajb_reserved=1</code>the memory for the record buffer is allocated in advance (at DPI start) and you can start and stop data recording on the run. You only need to change parameters ajb_save_url, ajb_save_udpi and ajb_save_ip.​To record the data in PCAP format: please use the following parameters in configuration file **///etc/dpi/fastdpi.conf//**:<code bash>ajb_save_udpi=1ajb_save_udpi_proto=OSPFIGP:ospf-liteajb_udpi_path=/var/dump/dpi</code>Here:  * //ajb_save_udpi=1// - activate the traffic recording for a list of protocols\\  * //ajb_udpi_path=/var/dump/dpi// - is a directory to place log files (/var/dump/dpi by default)\\