Network Interfaces

Netify DPI - Network Interfaces

The following document provides information on configuring Netify DPI to capture live traffic from network interfaces. Using packet capture files for development and offline analysis is also possible.

Prerequisites
- How It Works
- Installing Netifyd

Modes

There are two common ways to run the Netify DPI Agent using network interfaces:

  • Gateway mode - inline on the network
  • Mirror port mode

The configurations for these two modes are described in the next sections.

Gateway Mode

The Netify agent can be installed on a gateway device: firewalls, routers, access points, aggregators, etc. This gateway mode provides a way to analyze what's on the network and control network traffic using the Netify Flow Actions plugin.

Netify on Firewalls and Routers

Mirror Port Mode

You can connect a port to a standalone Netify DPI Agent if you have network switches with port mirroring capabilities. Tapping into the network in this mode allows one to analyze network traffic passively.

Netify with Port Mirroring

Interface Configuration

The /etc/netifyd/interfaces.d folder provides a place to drop network interface configuration for Netify DPI. There are several options available, but a minimal configuration requires the following:

  • Interface name
  • Capture driver
  • Network role

The Netify DPI Agent needs some context for identifying local traffic (east-west) and external traffic (north-south). This configuration is especially important for determining the direction of traffic and doing network risk analysis.

Here are two gotchas that can cause grief when deploying Netify DPI for the first time:

A network interface configuration file must start with a priority number from 0 to 99.
Promiscuous mode on the underlying network card must be enabled to see all traffic from the mirror port. Double-check the network permissions if running Netify in a container or virtual machine environment.

Gateway Mode - Example

In our gateway mode example, we need at least two network definitions: one WAN interface and one LAN interface. The Netify DPI Agent can handle multiple WANs and LANs, but we keep it simple in this example.

Internal/LAN Interface
# /etc/netifyd/interfaces.d/10-eth0.conf
[capture-interface-eth0]
role = lan
capture_type = pcap
External/WAN Interface
# /etc/netifyd/interfaces.d/10-eth1.conf
[capture-interface-eth1]
role = wan
capture_type = pcap

Mirror Port Mode - Example

In our mirror port mode example, only one network interface configuration is required. 

# /etc/netifyd/interfaces.d/10-eth0.conf
[capture-interface-eth0]
role = lan
capture_type = pcap
address[0] = 45.72.184.0/22
address[1] = 76.10.128.0/22

The address[x] configuration parameters allow Netify DPI to classify internal public address space as local traffic. This is an important parameter for ISPs and mobile network operators!

If your internal address space uses the standard private network blocks (e.g., 10.0.0.0/8), you do not need to configure address[x] settings.

Next Step

You are ready to put the Netify DPI engine into service, but we first need to tell Netify how to process the packets. Several Netify processors are available, but we recommend starting with the open-source Core Processor. This processor showcases the available network metadata and metrics the DPI engine provides, so it's an excellent place to start.

For other processors, please see How It Works for details.

Netify Agent


Inputs


Processor Plugins


Output Plugins


Output Formats


Other Links

Evaluate Netify DPI

Do you want to get started with evaluating Netify DPI? Request the Integrators Kit today.

Integrators Kit