1. Network Capture#
1.1. Metrics Capture#
- Tool Name: ontp-wire
Agent based network tool based on wireshark/tshark (docker).
Executes on each node that we desire to collect network metrics from.
Decode commonly used network protocol and generate network metrics
Real time reporting of metrics
Pushes its metrics to the metric bus tooling in real time [ontp-mbus]
Support online and offline mode (reading a capture dump file).
1.1.1. Supports decoding of L1..L7 Network Metrics:#
Note
Metrics
Over 27100 metric data points in 3000 protocols Filter reference https://www.wireshark.org/docs/dfref/
ontp-wire can be configured to mask out desired metrics.
check here for ontp-wire configuration details ontp-wire config
1.1.2. Launch With Docker#
Note
docker repository
1.1.3. Deployment Options#
Single Deployment |
N/A |
1 metric decoder per host instance |
|
Warning
We recommend tapping a specific interface instead of using all when using the CAPTURE_DEVICE docker environment variable.
1.1.4. Example docker run#
Run with rewrite of config from redis store.
VERSION=2.0.1
docker run -d --restart unless-stopped \
--network host \
--name ontp-wire \
-e CAPTURE_DEVICE=eno1 \
-v /etc/localtime:/etc/localtime:ro \
-v "$PWD/certs/your_cert.crt:/var/ontp-wire/tls/client.crt:ro" \
-v "$PWD/certs/your_cert.key:/var/ontp-wire/tls/client.key:ro" \
-v "$PWD/etc/applog.conf:/var/ontp-wire/applog.conf:ro" \
ontp-wire:${VERSION}
- Required For Docker run command
- Path to configuration file
-v “$PWD/etc/applog.conf:/var/ontp-wire/applog.conf:ro”
- SSL Client Certificates
-v “$PWD/certs/your_cert.crt:/var/ontp-wire/tls/client.crt:ro”
-v “$PWD/certs/your_cert.key:/var/ontp-wire/tls/client.key:ro”
- Required Docker Environment variables
CAPTURE_DEVICE=device_name
Supply multiple devices to capture from CAPTURE_DEVICE=eth0;hme0;eno1
- Overide default tshark configuration
-v “$PWD/ontp-capture_config:/home/ontpcap:ro”
1.1.5. Agent Configuration Details:#
Note
By default the tshark network agent will be started with -C ontp which means that it will use
/home/ontpcap/.config/wireshark/profiles/ontp/preferences as its default preferences file if it exists.
See ONTP tshark Default Preferences File
You can place all your preferences in that file to suit your collection requirements. Or you can pass your own default directory and preferences configuratiom.
1.1.6. Exclude Data From Collection:#
Here we are not talking about bpf filter rules that exclude examination of network data, which is controlled via the configuration file.
Note
“capture_filter”: [“not dst port 2558 and not src port 2558”,”..”,”..”]
Here we are referring to removing metrics that are captured from the metric structure that will be inserted into the database.
The remove_from_metric section in applog.conf details which sections of the metric data reported by tshark that you want to remove from reporting.
Note
“remove_from_metric”: [“/layers/ssh/ssh_ssh_encrypted_packet”, .., …, ]
Note that some things can not and should not be collected, such as entire packet data.
You could store them however the backend database table and retrieval functions would have to change.
Note
As a rule you should remove any binary packet data.
So we use this struct to know what to exclude from sending to the database.
As if there could be too much information in a metric to properly index within the GIN index table which is what we use by default so that we can easily access the data via json ops in postgres.
What is supplied is a limited set of removals, you may have to tune for your env as you may want to remove certain things. The metric bus will log what it can’t insert due to GIN index limits.
1.1.7. Decrypt traffic#
Manually edit ‘ssl.keys_list’ parameter in ‘/home/ontpcap/.config/wireshark/profiles/ontp/preferences’ file.
Note
Here is a sample entry for a local SSL server with a test private key in ‘/path_to/privkey.pem’
ssl.keys_list: 127.0.0.1,443,http,/path_to/privkey.pem;
- Additional ssl args that can be added to the preferences file.
ssl.desegment_ssl_records: TRUE
ssl.desegment_ssl_application_data: TRUE