Packet Capture Files

Netify DPI - Packet Capture Files

Most Netify Agent deployments are configured to capture live network traffic from network interfaces. However, you can also run the Netify Agent (netifyd) on packet capture files. Capture mode can be used for batch processing network data, testing Netify-aware tools, development environments, and more.

Prerequisites
- How It Works
- Installing Netifyd

Capturing Network Traffic

Use the tcpdump tool to capture network traffic. Here is an example: 

tcpdump -i eth0 -s 65536 -w /tmp/netify.pcap host 192.168.4.100

The -s (--snapshot-length) should be set to 65536 for smaller file sizes. The Netify Agent does not need anything beyond this limit for DPI analysis. Also, feel free to limit the capture to a specific host, port, or any other network filter expression supported by tcpdump. To see some bandwidth statistics, please run the capture for at least 60 seconds.

Running Netifyd on Capture Files

Once you have a PCAP capture file, copy it to the host with netifyd installed. You can then run the network analysis with debugging enabled: 

# Requires Netify 5 or higher
netifyd -d -v -t -r -I /tmp/netify.pcap

You should see network traffic flows, along with occasional summary updates. The -r flag (replay mode) means the processing runs with the same timeline as the capture file. Without the -r flag, the processing is done right away. You should see output on your screen similar to the following: 

... preamble ...
Loaded 1518 apps, 12168 domains, 4152 networks, 29 soft-dissectors, 0 transforms.
...
offline0: reading from capture file: /tmp/netify.pcap: v2.4
offline0: PCAP capture started on CPU: 0

offline0: i4pc-------r---- UDP [L] 192.168.4.173:57621 --> [OB] 192.168.4.255:57621
        : Spotify.netify.spotify

offline0: i4pc-------r---- UDP [OR] 35.186.224.25:443 <-- [L] 192.168.4.173:35893
        : QUIC.netify.spotify
        : H: spclient.wg.spotify.com
        : V: 0x0304
        : SNI: spclient.wg.spotify.com

The netifyd man page has detailed information on all the flags. See "man netifyd".

Next Step

Now that you know how to run the Netify Agent on a PCAP capture file, it's time to learn how to enable data processing. There are several Netify processors available, but we recommend starting with the open-source Core Processor to become familiar with the network metadata provided by the DPI engine.

You can also configure one of the output plugins to view the network metadata. The Socket Output Plugin is an excellent place to start.

For other plugins, please see How It Works for details.

Netify Agent


Inputs


Processor Plugins


Output Plugins


Output Formats


Other Links

Evaluate Netify DPI

Do you want to get started with evaluating Netify DPI? Request the Integrators Kit today.

Integrators Kit