Netify DPI - Network Interfaces
The following document provides information on configuring Netify DPI to capture live traffic from network interfaces. Using packet capture files for development and offline analysis is also possible.
There are two common ways to run the Netify DPI Agent using network interfaces:
- Gateway mode - inline on the network
- Mirror port mode
The configurations for these two modes are described in the next sections.
The Netify agent can be installed on a gateway device: firewalls, routers, access points, aggregators, etc. This gateway mode provides a way to analyze what's on the network and control network traffic using the Netify Flow Actions plugin.
Mirror Port Mode
You can connect a port to a standalone Netify DPI Agent if you have network switches with port mirroring capabilities. Tapping into the network in this mode allows one to analyze network traffic passively.
The /etc/netifyd/interfaces.d folder provides a place to drop network interface configuration for Netify DPI. There are several options available, but a minimal configuration requires the following:
- Interface name
- Capture driver
- Network role
The Netify DPI Agent needs some context for identifying local traffic (east-west) and external traffic (north-south). This configuration is especially important for determining the direction of traffic and doing network risk analysis.
Here are two gotchas that can cause grief when deploying Netify DPI for the first time:
Gateway Mode - Example
In our gateway mode example, we need at least two network definitions: one WAN interface and one LAN interface. The Netify DPI Agent can handle multiple WANs and LANs, but we keep it simple in this example.
# /etc/netifyd/interfaces.d/10-eth0.conf [capture-interface-eth0] role = lan capture_type = pcap
# /etc/netifyd/interfaces.d/10-eth1.conf [capture-interface-eth1] role = wan capture_type = pcap
Mirror Port Mode - Example
In our mirror port mode example, only one network interface configuration is required.
# /etc/netifyd/interfaces.d/10-eth0.conf [capture-interface-eth0] role = lan capture_type = pcap address = 220.127.116.11/22 address = 18.104.22.168/22
The address[x] configuration parameters allow Netify DPI to classify internal public address space as local traffic. This is an important parameter for ISPs and mobile network operators!
If your internal address space uses the standard private network blocks (e.g., 10.0.0.0/8), you do not need to configure address[x] settings.
You are ready to put the Netify DPI engine into service, but we first need to tell Netify how to process the packets. Several Netify processors are available, but we recommend starting with the open-source Core Processor. This processor showcases the available network metadata and metrics the DPI engine provides, so it's an excellent place to start.
For other processors, please see How It Works for details.