Datumize Data Dumper (DDD) configuration details the different properties you can adjust in the product.
DDD is very sensitive to configuration. Make sure you know what you're doing.
These are the supported properties.
Memory buffer size in KB. This buffer is used to temporarily hold network packets before applying the filtering and eventually copying the packet to the output.
|Device||DEV||Network device (as shown by ifconfig)||String|
Packet snapshot length determines the size of the window (in bytes) used for packet capture. This is a very sensitive property.
Rotate output pcap files every number of seconds.
|Owner||USER||Output pcap folder and files owner (user:group notation)||String|
|Staging directory||RAMFS||Absolute path of ramfs (memory filesystem) folder.||Path|
|Output directory||OUTPUT||Absolute path of pcap output folder.||Path|
|Log file||LOGFILE||Relative or absolute log file path||Path|
|Pcap split||SPLITNUM||Use pcap spliter if exist and split into number of times set.||Integer|
|Sleep on move||SLEEP|
Sleep a number of seconds after moving recently close pcap file to output directory.
|Extra parameters||EXTRA||Use specific user privileges. Usually used to add ||String|
DDD is automatically installed through Datumize Zentral (DZ) and that should be fine for most configurations.
Important considerations to snapshot length:
- Big snapshot length decreases the performance of DDD and could generate high amounts of packet losses. The bigger the window, the more CPU cycles to do any processing, filtering and copying.
- Small snapshot length could yield truncated packets. If the snapshot is smaller than the actual packet size, you will get just the amount of bytes defined in the snapshot.
- Smaller snapshot might be fine if you just want to analyze packet headers.
Memory mounted file (ramfs) is being used by DDD to increase the packet capture and performance.
Using tcpdump from command line
Eventually you might need to use tcpdump from the command line to understand some traffic being captured, decide the proper filter or fine-tune some DDD parameters.
|Capture all interfaces|
|Show IP instead domain names|
|Split large pcap into smaller pcaps (ex. 200MB)|
|Flush captured packets and prevent truncated pcap errors|
|Filtering by protocol and port|
|Filtering by byte: example hidding traffic with 0 data|
|Complex filters (binary and hexadecimal)|
|Filter by IP odd and even|
|Get all the IPs of pcap file|
|tcpdump cheat sheet||Check Packetlife|
|Wireshark cheat sheet||Check Packetlife|