12.1. ONTP Capture FAQ#

12.1.1. How To Capture On Multiple Network Interfaces#

Note

Use the env var argument CAPTURE_DEVICE

Supply multiple devices to capture from CAPTURE_DEVICE=eth0;hme0;eno1

12.1.2. Firewall Ports Access#

Note

You will need to allow access to/from the host port of the ONTP Message Bus.

2558 or whatever port you deployed the ONTP message bus component on.

12.1.3. How To Exclude Traffic From Capture#

Note

You can exclude packets from capture vi supply a proper bpf packet filter specification in the capture_filter section in the config file.

capture_filter: [“not dst port 2558 and not src port 2558”,”..”,”..”]

12.1.4. Protocol Decoder#

Note

We utilize tshark as our protocol decoder.

12.1.5. Protocols Capable of being decoded#

Note

Over 27100 metric data points in 3000 protocols
Filter reference https://www.wireshark.org/docs/dfref/

12.1.6. Specifying which Protocols to decoded#

Note

Update the default preferences file to change what protocols are decoded.

ONTP tshark Default Preferences File

12.1.7. Port Mapping#

Note

Decode Port As

decode_as: [“tcp.port==8888,http”, “tcp.port==8888-8890,http”]

tcp.port==8888,http

decode any traffic running over TCP port 8888 as HTTP.

tcp.port==8888-8890,http

decode any traffic running over TCP ports 8888, 8889 or 8890 as HTTP.

12.1.8. Override Prefs#

Note

In order to specify this on the command line, you can use: + override_prefs: [“http.tls.port:443,4433”, “tcp.try_heuristic_first:TRUE”, “udp.try_heuristic_first:TRUE”],

It is best to add the records to the preferences file + http.tls.port:443,4433 + tcp.try_heuristic_first:TRUE + udp.try_heuristic_first:TRUE

12.1.9. Disable Name Resolution#

Note

Disable network object name resolution.

disable_name_res: false

12.1.10. Name Resolving Flags#

Note

Turn on name resolving options.

name_res_flags: “mnNtdv”

12.1.11. configuring the tshark agent#

-v "$PWD/ontp-capture_config:/home/ontpcap:ro"

Note

This specifies that tshark will use this directory for its default configuration.

Any configuration of the tshark agent should go into this directory.

Any changes to this directory will require a restart of the agent via docker command.

Default directories for tshark configuration as defined on the image

Temp:                   /tmp
Personal configuration: /home/ontpcap/.config/wireshark
System:                 /etc
Personal Plugins:       /home/ontpcap/.local/lib/wireshark/plugins/3.7

12.1.12. Capture CPU usage restrictions#

Note

We utilize monit by default to restrict cpu usage.

You can also apply any cgroup configuration that you desire to the docker start.

12.1.13. Limiting with cgroups#

Note

You can apply any relevant cgroup specification to the docker container to limit the resources that the application stack uses.

12.1.14. Monit application monitoring config#

Note

ONTP capture uses monit to monitor its runtime state. - monit docs https://mmonit.com/monit/documentation/monit.html

The current rule is to restart if the process uses more than 99% of cpu for 5 cycles

if cpu > 99% for 5 cycles then restart

You can map your own monit configuration via add the following to the argument to docker

-v "$PWD/monit/monitrc:/etc/monitrc:ro"

Warning

Remember to chown the file to be owned by root if supplied - chown root monitrc; chmod go-rwx monitrc

12.1.15. remove_from_metric semantics#

Note

Remove the following keys from the json data to prevent its storage into the database.

Reasons why: - Remove binary data. - Remove sensitive data. - Remove unwanted data. - Make the data fit the JSON GIN index limit.

12.1.16. Why exclude binary data from collection.#

Note

Excluding binary data from collection is recommended as you lower the storage requirements for the database.

Binary data will be pushed as base64 encoded string, however you will likely break the GIN index limit and the record will be rejected.

12.1.17. host_unitid limitations#

Note

There are no limitations on the host_unitid name.

However you should choose a good name to describe your env and keep it short for storage and retrieval.

12.1.18. metric_normalize semantics#

Note

Metric normalization means to automatically remove binary data or data this over a certain threshold length.

Specify the metric type to automatically try to normalize.

12.1.19. Optimal Number of io_threads#

Note

We recommend that you only use 2 io threads to process data for the ONTP metric message bus.

12.1.20. Optimal Number of msg_threads#

Note

We recommend that you only use 2 msg threads to process data for the ONTP metric message bus.

12.1.21. Optimal Number of ssl_threads#

Note

We recommend that you only use 2 ssl threads to send data to the ONTP metric message bus.

12.1.22. Userid that the tooling executes as#

Note

The tool is executed as - user ontpcap id 4602 - group ontpcap gid 4602

12.1.23. Tool Restart Recommendations#

Note

It is best practice to restart the container at least once per week.

You can also use the monitrc overwrite configuration to control how when the tool gets restarted.