Capture Plans
Capture Plans are pipelines defined by capture sockets and utilized to handle and process
Protocol modules are loaded at startup by the captagent.xml general configuration.
socket_pcap -> {profile} -> capture_plan
/usr/local/etc/captagent/socket_pcap.xml
<profile name="socketspcap_sip" description="HEP Socket" enable="true" serial="2014010402">
<settings>
<param name="dev" value="eth0"/>
<param name="promisc" value="true"/>
<param name="reasm" value="false"/>
<param name="tcpdefrag" value="false"/>
<param name="capture-plan" value="sip_capture_plan.cfg"/>
<param name="filter">
<value>portrange 5060-5091</value>
</param>
</settings>
</profile>
/usr/local/etc/captagent/captureplans/sip_capture_plan.cfg
capture[pcap] {
# here we can check source/destination IP/port, message size
if(msg_check("size", "100")) {
#Do parsing
if(parse_sip()) {
#Multiple profiles can be defined in transport_hep.xml
if(!send_hep("hepsocket")) {
clog("ERROR", "Error sending HEP!!!!");
}
}
}
drop;
}
Users can put in capture[...] these socket types:
- pcap
- tzsp
- collector