FMADIO Packet Capture systems provide a built-in Push PCAP feature to transfer captured PCAP data on a regular schedule to a remote system or local Scratch Disk. An example is pushing 1 minute PCAPs to a remote NFS share or an S3 storage bucket.
Supported Hardware
Hardware | Push PCAP Intraday | Push PCAP End of Day | Min. firmware version | Notes |
|---|---|---|---|---|
FMADIO-3114 | 6979 | |||
FMADIO-3214 | 6979 | |||
FMADIO-3414 | 6979 | |||
FMADIO-3514 | 6979 | |||
FMADIO-5114 | 6979 | |||
FMADIO-5214 | 6979 | |||
FMADIO-5414 | 6979 | |||
FMADIO-5514 | 6979 |
Configuration
Configuration is via configuration scripts located at:
/opt/fmadio/etc/push_pcap.luaIf there is no such file above, please copy the basic example from the following location:
/opt/fmadio/etc_ro/push_pcap.lua.basicAn example is shown as follows:
local Config = {}
Config.TimeoutRing = 5*60e9
Config.Target = {}
table.insert(Config.Target,
{
Desc = "Full",
Mode = "File",
Path = os.date("/mnt/remote0/pcap/%Y%m%d/all-"),
Split = "--split-time "..(60*60*1e9),
SplitCmd = "-Z fmadio",
FileName = "--filename-tstr-HHMMSS",
FilterBPF = "",
PipeCmd = "zstd -c -T8",
FileSuffix= ".pcap.zstd",
})
table.insert(Config.Target,
{
Desc = "tcp_192_168_1_0",
Mode = "File",
Path = os.date("/mnt/remote0/pcap/%Y%m%d/tcp_host-"),
Split = "--split-time "..(60*60*1e9),
SplitCmd = "-Z fmadio",
FileName = "--filename-tstr-HHMMSS",
FilterBPF = "net 192.168.1.0/24",
PipeCmd = "zstd -c -T8",
FileSuffix= ".pcap.zstd",
})
return Config
Multiple Push PCAP targets can be specified, there is no real limit however throughput of processing may be impacted.
In the above example there are 2 Push PCAP rules:
A) Push all packet data (no filter)
This Push PCAP target sends all PCAP data the remote NFS share mounted on:
/mnt/remote0See Mount Remote NFS (Linux) Drive for details on setting up /mnt/remote0 mounting points.
The specified is "FilterBPF=nil" meaning there is no filter, thus all traffic is pushed
B) Push all TCP data from network 192.168.1.0/24
The second example shows pushing all TCP data on the network 192.168.1.0/24 to the specified /mnt/remote0/push/ directory with a PCAP file prefix of "tcp_*"
Note:
FilterBPF=net 192.168.1.0/24 and tcp This applies a full BPF (Berkley Packet Filter https://en.wikipedia.org/wiki/Berkeley_Packet_Filter ) with the filter "tcp" on the packets before writing it to the location. This results in only TCP data written to the /mnt/remote0/push/tcp_*.pcap output files.
Supported Endpoints
Mode | Description |
|---|---|
linux file | linux file on FMADIO capture system |
NFS | remote NFS mountpoint on FMADIO capture system |
SFTP | remote SSH file system via rclone ( https://rclone.org/sftp/ ) |
FTP | FTP push via rclone ( https://rclone.org/ftp/ ) |
S3 | S3 protocol via rclone ( https://rclone.org/s3/ ) |
Google Drive | Google drive via rclone ( https://rclone.org/drive/ ) |
Digital Ocean | Digital Ocean Spaces via rclone ( https://rclone.org/s3/#digitalocean-spaces ) |
Azure Blob | Microsoft Azure Blob via rclone ( https://rclone.org/azureblob/ ) |
Dropbox | Dropbox via rclone ( https://rclone.org/dropbox/ ) |
Hadoop HDFS | Hadoop file system via rclone ( https://rclone.org/hdfs/ ) |
Ceph | Ceph S3 interface via rclone ( https://rclone.org/s3/ ) |
and many more, see the rclone documentation for full list of endpoints supported: https://rclone.org/docs/
If you have questions, problems or feedback related to this topic please contact support@fmad.io.