Datumize Data Dumper (DDD) configuration details the different properties you can adjust in the product.

DDD is very sensitive to configuration. Make sure you know what you're doing.


Properties

These are the supported properties.

GROUPPROPERTYID

DESCRIPTION

TYPEDEFAULT
DefaultBuffer sizeBUFFSIZE

Memory buffer size in KB. This buffer is used to temporarily hold network packets before applying the filtering and eventually copying the packet to the output. 

  • A big buffer size will spend more memory.
  • A small buffer size will cause packet loss when buffer overflows.
Integer8192
DeviceDEVNetwork device (as shown by ifconfig)Stringeth0
FilterFILTER

PCAP Network Filter as supported by tcpdump. The filter must be quoted, i.e. "tcp and host 192.168.204.24"

String
Snapshot lengthSIZE

Packet snapshot length determines the size of the window (in bytes) used for packet capture. This is a very sensitive property.

Integer262144
Advanced

Rotate secondsROTATE

Rotate output pcap files every number of seconds.

Integer20
OwnerUSEROutput pcap folder and files owner (user:group notation)Stringdatumize:datumize
Staging directoryRAMFSAbsolute path of ramfs (memory filesystem) folder.Path/mnt/ramfs1
Output directoryOUTPUTAbsolute path of pcap output folder.Path/opt/datumize/pcap
Log fileLOGFILERelative or absolute log file pathPath/opt/datumize/log/tcpdump.out
Pcap splitSPLITNUMUse pcap spliter if exist and split into number of times set.Integer10
Sleep on moveSLEEP

Sleep a number of seconds after moving recently close pcap file to output directory.


Integer5
Extra parametersEXTRAUse specific user privileges. Usually used to add -Z root in order to able to don't lose root user when rotating files. String


Advanced Configuration

DDD is automatically installed through Datumize Zentral (DZ) and that should be fine for most configurations.

Important considerations to snapshot length:

  • Big snapshot length decreases the performance of DDD and could generate high amounts of packet losses. The bigger the window, the more CPU cycles to do any processing, filtering and copying.
  • Small snapshot length could yield truncated packets. If the snapshot is smaller than the actual packet size, you will get just the amount of bytes defined in the snapshot.
  • Smaller snapshot might be fine if you just want to analyze packet headers.

Linux system limits can be tweaked for better TCP performance. Check reference1 and reference2.

Memory mounted file (ramfs) is being used by DDD to increase the packet capture and performance.


Using tcpdump from command line

Eventually you might need to use tcpdump from the command line to understand some traffic being captured, decide the proper filter or fine-tune some DDD parameters.

TaskCommand
Capture all interfacestcpdump -i any
Show IP instead domain namestcpdump -i <interface-name> -qn tcp -w pcap.pcap
Split large pcap into smaller pcaps (ex. 200MB)tcpdump -r old_file -w new_files -C 200
Flush captured packets and prevent truncated pcap errorstcpdump -U
Handy filterssudo tcpdump -i eth0 -qn udp and dst host <ip_interface> -w pcap_new.pcap
 
sudo tcpdump -q | sed '/ssh/d'; # hide ssh traffic
 
tcpdump -i eth0 port not 22; # hidding with tcpdump filter
     
tcpdump -i eth0 -A | grep HTTP; # with grep
Filtering by protocol and porttcpdump -i eth0 not udp and not arp and port not 22
  
sudo tcpdump -i eth0 -qnn tcp and host 10.150.3.154 and not '(host 10.150.4.106 or host 10.150.4.107)'
Filtering by byte: example hidding traffic with 0 datatcpdump -i eth0 tcp and port 80 and '(((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
Complex filters (binary and hexadecimal)Check this.
Filter by IP odd and evenEven: tcpdump -i <interface> <options> 'ip[19] & 0x01 = 0 || ip6[39] & 0x01 = 0'
Odd : tcpdump -i <interface> <options> 'ip[19] & 0x01 = 1 || ip6[39] & 0x01 = 1'
Get all the IPs of pcap filetcpdump -r <pcap_file> -qnn tcp | awk '{print $4}' | sort | uniq > ips_hst
tcpdump -r <pcap_file> -qnn tcp | awk '{print $5}' | sort | uniq > ips_dst
tcpdump cheat sheetCheck Packetlife
Wireshark cheat sheetCheck Packetlife