5.6.14. Web UI `Config - Gcaps profiles` screen

After pressing the `Gcaps profiles` command from the `Config` menu, the following screen is displayed.

This screen enables configuring the GCap profiles.

Item	Function	See
1	Name of the GCap associated with the GCenter
2	`Detection Rulesets` button manages the application of rulesets to paired GCaps	`Detection Rulesets` section of the `Config Gcaps profiles` menu
3	`Base variables` button manages the configuration of the advanced GCap parameters	`Base variables` section of the `Config Gcaps profiles` menu
4	`Net variables` button manages the network variables used in Sigflow rules	`Net variables` section of the `Config Gcaps profiles` menu
5	`Flow timeouts` button configures the time Sigflow keeps a flow in memory depending on its status	`Flow timeouts` section of the `Config Gcaps profiles` menu
6	`File rule management` button configures the file types that the GCap will extract for a given protocol	`File rule management` section of the `Config Gcaps profiles` menu
7	`Packet filters` button adjusts the GCap capture parameters using Sigflow's advanced features	`Packet filters` section of the `Config Gcaps profiles` menu
8	`Reset to default configuration` button resets the configuration and loads the profile selected in the `GCaps pairing and status` screen
9	`ADD GCAP` button displays the screen for adding a GCap	`Admin-GCaps pairing and status` screen of the legacy Web UI

Note

The buttons listed above give access to the sections listed below, each of which manages a subset of the configuration.
Each change is automatically saved.
Use of an `APPLY` button triggers sending the global configuration to the selected GCap.

5.6.14.1. `Detection Rulesets` section of the `Config Gcaps profiles` menu

The `Detection Rulesets` screen enables:

Configuring the detection modes for each of the three options below:

`single tenant`

`multi-tenant by interface`

`multi-tenant by vlan`

Apply the Sigflow rulesets previously created to the GCap paired on the GCenter
Enable the Codebreaker engine (Shellcodes, Powershell detection)

For more information, refer to Detection Rulesets.

Item	Function
1	Link to return to the `GCAP profiles` screen
2	Message area informing that the selected ruleset has been updated.
3	`SINGLE TENANT` button: manages the rulesets and detection options for this configuration Selection of the ruleset to be configured (12) Selection of the activation of the Shellcodes detection (11) Selection of the activation of the Powershell detection (10)
4	`MULTI-TENANT BY INTERFACE` button: manages the rulesets and detection options for this configuration Selection of the interface to set (monx or monvirt) Selection of the ruleset to configure Selection of the activation of the Shellcodes detection Selection of the activation of the Powershell detection
5	`MULTI-TENANT BY VLAN` button: manages the rulesets and detection options for this configuration Selection of the VLAN to configure Selection of the ruleset to configure Selection of the activation of the Shellcodes detection Selection of the activation of the Powershell detection
6	`Add a ruleset` button: displays the Ruleset screen for adding a ruleset (see `Config - sigflow/rulesets` screen of the legacy web UI)
7	`Reset config` button: enables resetting the configuration
8	`Apply` button: enables the settings to be saved and makes the rulesets available to GCaps
9	`Save` button: enables saving the current option settings (SINGLE TENANT...)

5.6.14.2. `Base variables` section of the `Config Gcaps profiles` menu

The Base variables section enables the probe's capture parameters to be adjusted using the advanced Sigflow functions that can be configured from the `GCenter`.

Changes to this configuration have an impact on the alerts sent from the GCap probe to the GCenter.

Enabling certain options will enable the sending of alerts, anomalies, metadata, file information, and protocol-specific records.
Alerts are records of events triggered by the matching of a rule with network traffic.
An alert will be created with associated metadata, such as the application layer record (HTTP, DNS, etc).

The `Base Variables` screen consists of the following fields:

`Stream analysis and file extraction` zone
`HTTP Proxy` zone
`Payload` zone
`Community ID` zone
`Alerting and logging` zone

5.6.14.2.1. `Stream analysis and file extraction` zone

The `Stream analysis and file extraction` zone enables you to control how the Sigflow engine handles maximum stream and file extraction sizes.

5.6.14.2.1.1. Description of the `Stream analysis and file extraction` zone

This zone includes the following items:

Item	Function
1	`File extraction (on/off)`: enables the control of the size of stored files. See `File rule management` section of the `Config Gcaps profiles` menu to specify which files are extracted
2	`Stream reassembly depth (MB)`: maximum size of the network stream in megabytes. The default value is a parameter that can be overridden by the protocol analysers performing the file extraction. The inspection will be ignored if this value is reached for a particular flow. Setting this value to 0 enables any flow size to be stored.
3	`MQTT Max message length (MB)`. maximum size of an MQTT message to be parsed. Beyond this value, the message will not be parsed.
4	`File-store stream depth (MB)` : maximum size of a reconstructed and stored file in megabytes. If this value is reached, the file may be truncated and not entirely stored. This implies that after this value, the HTTP session will no longer be tracked. A negative value disables the option. A value of 0 enables any file size to be stored. If this option is not enabled, then the value of 'Stream reassembly depth (Mb)' will be taken into account. This value must be greater than the value of `Stream reassembly depth (Mb)`.
5	`SMB Stream Depth (MB)`. maximum size of the network stream in megabytes. Beyond this value, no reconstruction will be undertaken. If this value is reached, the file may be truncated and not entirely stored. This implies that after this value, the SMB session will no longer be tracked. Additionally, negative values disable the option. Setting this value to 0 enables any file size to be stored.

Astuce

Too high a value for these parameters increases detection but decreases performance.

Prudence

Changing these parameters may cause the solution to malfunction. This section is reserved for support staff and advanced users.

Only the `file_store_stream_depth_mb` variable can be modified, never exceeding 100 MB.

5.6.14.2.1.2. Default configuration of the `Base variables` section

Variables	Values
File extraction (On/Off)	Enabled
File-store stream depth (MB)	10
Stream reassembly depth (MB)	10
SMB Stream Depth (MB)	10
MQTT Max message length (MB)	10

5.6.14.2.2. `HTTP Proxy` zone

The `HTTP Proxy` zone enables enhanced metadata and alerts for streams mandated with the X-Forwarded-For (XFF) http header.

XFF is a standard header enabling to identify the original IP address of a client connecting to a web server through an HTTP proxy or load balancer.

5.6.14.2.2.1. Description of the `HTTP Proxy` zone

This zone includes the following items:

Item	Function
1	`XFF (On/Off)` selector: enabling the management of the HTTP X-Forwarded-For header by adding a new field or by overwriting the source or destination IP address, depending on the direction of the flow, with the IP indicated in this header. The behavior, either adding a field or overwriting, is handled by the `XFF mode` directive. This directive is helpful when processing flows behind a reverse proxy for example.
2	`XFF deployment`: type of XFF deployment. Two types of deployment are available(reverse or forward). In a reverse deployment, the IP address used is the last one, while in a forward deployment, the IP address used is the first one.
3	`XFF mode`: expected behavior when XFF is activated. Two types of operating modes are available, extra-data or overwrite. Note that in overwrite, if the IP address reported in the HTTP X-Forwarded-For header is a different version of the received packet, then it will switch to 'extra-data' mode
4	`XFF header` : This is the name of the HTTP header where the real IP address is present. If there is more than one IP address present then the last IP address is taken into account.

5.6.14.2.2.2. Default configuration of the `HTTP Proxy` zone settings

Variables	Values
XFF (On/Off)	Enabled
XFF mode	Extra-data
XFF deployment	Reverse
XFF header	X-Forwarded-For

5.6.14.2.3. `Payload` zone

The `Payload` zone enables alerts to be enriched with the content of the stream that triggered them.

Note

Enabling all of the following fields can generate events larger than 65kb, but exporting data cannot transmit events larger than this size.

In case an event exceeds 65KB, it will be truncated and the remote server will not receive the entire event.

5.6.14.2.3.1. Description of the `Payload` zone

This zone includes the following items:

Item	Function
1	`Payload` selector: enables adding a field containing the base64 encoded payload of a triggering stream
2	`Http body`: adds a field containing the body of HTTP requests encoded in base64. This parameter requires metadata to work.
3	`Payload printable`: adds a field containing the (Payload) in ASCII (so-called 'human') format.
4	`Http body printable`: adds a field containing the body of HTTP requests in ASCII format. This parameter requires metadata to work.
5	`Packet`: dump of the captured base64 encoded package.
6	`Payload buffer size` : maximum size of the payload buffer to be added in the alert

5.6.14.2.3.2. Default configuration of the `Payload` zone settings

Variables	Values
Payload	Enabled
Payload printable	Enabled
Packet	Enabled
Http body	Disabled
Http body printable	Disabled
Payload buffer size	4096

5.6.14.2.4. `Community ID` zone

This zone enables:

Activating the `Community ID` field in events. This enables identifying the network streams being analyzed
Configuring the "seed" to be identical to other tools in the same information system

5.6.14.2.4.1. Description of the `Community ID` zone

This zone includes the following items:

Item	Function
1	`On/Off`: adds the `Community ID` field to the events
2	`Community ID seed`: configures the "seed" in order to make it identical to other tools

5.6.14.2.4.2. Default configuration of the `Community ID` zone settings

Variables	Values
On/Off	Enabled
Community ID seed	0

5.6.14.2.5. `Alerting and logging` zone

This zone enables configuring the `alerting` and `logging` of the protocols used by the GCap.

Note

GCap is one version ahead of the GCenter, it is possible that some protocols are not yet implemented in the latter.

This is discussed in more detail in the GCAP-documentation in the section Sigflow detection engine > Rebuilding files.

5.6.14.2.5.1. Description of the `Alerting and logging` zone

This zone includes the following items:

Item

Function

1

Selector for choosing the hash function for reconstructed files (md5, sha1 and sha256).

By default, md5 is selected. The sha256 hash will in all cases be added by the Malcore module.

2

List of protocols. For each of these protocols, the following are listed:

The name (3)

The switch for enabling the `alerting` (4)

The switch for enabling the `logging` (5)

The parameters displayed here are those of the profile previously loaded in the GCap.

This was done by:

Using the `GCaps pairing and status` command in the `Admin-GCaps pairing and status` screen of the legacy Web UI.

Select a default profiles such as Minimal, Balanced, MPL, Paranoid, and Intuitio: in order from most to least permissive

This profile is loaded into the GCap with the `Update` button.

From this moment on, this profile is loaded into the selected GCap. It can therefore be viewed in the `Base variables` window.

If necessary, use the `Reset to default configuration` command to reload this default profile with the default values.

In addition to these protocols, it is also possible to generate `Netflow` data and enable `fingerprint JA3`.

Both options are disabled by default (`Balanced` profile).

Avertissement

Enabling NetFlow data generation will create a great deal of metadata.

5.6.14.2.5.2. Default settings for existing profiles available

Protocols	Minimal	Balanced	MPL	Paranoid	Intuitio
dns_udp	Disabled	Enabled	Enabled	Enabled	Enabled
dns_tcp	Disabled	Enabled	Enabled	Enabled	Enabled
http	Enabled	Enabled	Enabled	Enabled	Enabled
http2	Enabled	Enabled	Enabled	Enabled	Enabled
tls	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	Enabled	Enabled	Enabled	Enabled	Enabled
smb	Disabled	Enabled	Disabled	Enabled	Enabled
nfs	Disabled	Enabled	Disabled	Enabled	Enabled
ftp	Disabled	Enabled	Enabled	Enabled	Enabled
tftp	Disabled	Enabled	Disabled	Enabled	Enabled
ssh	Disabled	Enabled	Disabled	Enabled	Enabled
kerberos	Disabled	Enabled	Disabled	Enabled	Enabled
dhcp	Disabled	Enabled	Disabled	Enabled	Enabled
snmp	Disabled	Disabled	Disabled	Enabled	Disabled
rdp	Disabled	Disabled	Disabled	Enabled	Enabled
rfb	Disabled	Disabled	Disabled	Enabled	Disabled
ikev2	Disabled	Disabled	Disabled	Enabled	Disabled
sip	Disabled	Disabled	Disabled	Enabled	Disabled
modbus	Disabled	Disabled	Disabled	Enabled	Disabled
dhp3	Disabled	Disabled	Disabled	Enabled	Disabled
dcerpc	Disabled	Disabled	Disabled	Enabled	Disabled
mqtt	Disabled	Disabled	Disabled	Enabled	Disabled
ntp	Disabled	Enabled	Disabled	Enabled	Disabled
enip	Disabled	Enabled	Disabled	Enabled	Disabled

Protocols	Minimal	Balanced	MPL	Paranoid	Intuitio
dns_udp	Disabled	Enabled	Enabled	Enabled	Enabled
dns_tcp	Disabled	Enabled	Enabled	Enabled	Enabled
http	Disabled	Enabled	Enabled	Enabled	Enabled
http2	Disabled	Enabled	Enabled	Enabled	Enabled
tls	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	Disabled	Enabled	Enabled	Enabled	Enabled
smb	Disabled	Enabled	Disabled	Enabled	Enabled
nfs	Disabled	Enabled	Disabled	Enabled	Enabled
ftp	Disabled	Enabled	Enabled	Enabled	Enabled
tftp	Disabled	Enabled	Disabled	Enabled	Enabled
ssh	Disabled	Enabled	Disabled	Enabled	Enabled
kerberos	Disabled	Enabled	Disabled	Enabled	Enabled
dhcp	Disabled	Enabled	Disabled	Enabled	Enabled
snmp	Disabled	Disabled	Disabled	Enabled	Disabled
rdp	Disabled	Disabled	Disabled	Enabled	Enabled
rfb	Disabled	Disabled	Disabled	Enabled	Disabled
ikev2	Disabled	Disabled	Disabled	Enabled	Disabled
sip	Disabled	Disabled	Disabled	Enabled	Disabled
dhp3	Disabled	Disabled	Disabled	Enabled	Disabled
dcerpc	Disabled	Disabled	Disabled	Disabled	Disabled
mqtt	Disabled	Disabled	Disabled	Enabled	Disabled

5.6.14.3. `Net variables` section of the `Config Gcaps profiles` menu

5.6.14.3.1. Information on the `Net variables` section

In the structure of a rule, just after 'alert' and the protocol keyword, it is possible to use variables that will enable defining groups of IP addresses.

In the following example:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”GPL SCAN NULL”; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:2100623; rev:7;)

For an alert to be raised under this rule, the source must therefore be included in the $EXTERNAL_NET variable and its destination in the $HOME_NET variable.
Both the traffic source and the traffic destination must be specified.
IP addresses (IPv4 and IPv6 are supported) or networks can be assigned. These parameters will be used instead of variables in the detection rules.

Variables adapt as needed and rules can change according to the specified values:

`list`: enables the action of the rule to be defined in relation to the variable
`default (equals to HOME_NET)`: enables defining the action of the rule in relation to the addresses given in the HOME_NET environment
`exclude (opposite of HOME_NET)`: Enables the rule to be used for all addresses that are not part of the HOME_NET environment

It is not necessary to define an address for each of the existing variables.

By default, if nothing is specified, this is equivalent to applying the rule to all traffic (the variable is equivalent to any).

Note

Good practice for the $EXTERNAL_NET variable is to choose the value "Opposite of HOME_NET", anything that is not $HOME_NET by definition.

The `Net variables` area enables defining the contents of these variables used in Sigflow rules.

5.6.14.3.2. Description of the `Net variables` zone

This zone includes the following items:

Item	Function	Settings
1	GCAP selected
2	Variable areas: these are listed below:
	home_net	CIDR address / CIDR address / CIDR address
	external_net	List / Equals to HOME_NET / Opposite of HOME_NET
	http_servers	List / Equals to HOME_NET / Opposite of HOME_NET
	smtp_servers	List / Equals to HOME_NET / Opposite of HOME_NET
	sql_servers	List / Equals to HOME_NET / Opposite of HOME_NET
	dns_servers	List / Equals to HOME_NET / Opposite of HOME_NET
	telnet_servers	List / Equals to HOME_NET / Opposite of HOME_NET
	aim_servers	List / Equals to HOME_NET / Opposite of HOME_NET
	dnp3_servers	List / Equals to HOME_NET / Opposite of HOME_NET
	modbus_servers	List / Equals to HOME_NET / Opposite of HOME_NET
	modbus_clients	List / Equals to HOME_NET / Opposite of HOME_NET
	enip_servers	List / Equals to HOME_NET / Opposite of HOME_NET
	enip_clients	List / Equals to HOME_NET / Opposite of HOME_NET
3	`LOAD CONFIG` button: enables importing a pre-configured configuration file (excel file)
4	`DOWNLOAD TEMPLATE` button: enables a template configuration file to be uploaded and populated.
5	`APPLY` button: saving and applying the configuration to the GCap

5.6.14.3.3. Default configuration of the `Net variables` section

Variables	Settings	by default
home_net	CIDR address, CIDR address, CIDR address	10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
external_net	List / Equals to HOME_NET / Opposite of HOME_NET	Opposite of HOME_NET
http_servers	List / Equals to HOME_NET / Opposite of HOME_NET	Equals to HOME_NET
smtp_servers	List / Equals to HOME_NET / Opposite of HOME_NET	Equals to HOME_NET
sql_servers	List / Equals to HOME_NET / Opposite of HOME_NET	Equals to HOME_NET
dns_servers	List / Equals to HOME_NET / Opposite of HOME_NET	Equals to HOME_NET
telnet_servers	List / Equals to HOME_NET / Opposite of HOME_NET	Equals to HOME_NET
aim_servers	List / Equals to HOME_NET / Opposite of HOME_NET	Equals to HOME_NET
dnp3_servers	List / Equals to HOME_NET / Opposite of HOME_NET	Equals to HOME_NET
modbus_servers	List / Equals to HOME_NET / Opposite of HOME_NET	Equals to HOME_NET
modbus_clients	List / Equals to HOME_NET / Opposite of HOME_NET	Equals to HOME_NET
enip_servers	List / Equals to HOME_NET / Opposite of HOME_NET	Equals to HOME_NET
enip_clients	List / Equals to HOME_NET / Opposite of HOME_NET	Equals to HOME_NET

Attention

When pairing a GCap, the `Net variables` have the above default values (3 home_net declared and active by default).

5.6.14.4. `Flow timeouts` section of the `Config Gcaps profiles` menu

The `Flow timeouts` section enables configuring the time in seconds that Sigflow keeps a flow in memory depending on its status.

5.6.14.4.1. Description of the `Flow timeouts` section

This section includes the following items:

Item

Function

1

GCap selected

2

List of protocols. For each of these protocols, the following are listed:

The `New` field (3): period during which the connection is established.

This field is the time in seconds after the last activity of this flow in this status type.

The `Established` field (4): period during which the data transfer takes place.

This field is the time in seconds after the last activity of this flow in this status type.

The `Closed` field (5): period during which the end of the connection is established.

This field is the time in seconds after the last activity of this flow in this status type.

`Emergency_new` field (6)

`Emergency_established` field (7)

`Emergency_closed` field (8)

9

`APPLY` button: saving and applying the configuration to the GCap

Prudence

Changing the settings in this section may cause the AIONIQ solution to malfunction.

This section is reserved for support staff and advanced users.

The udp, tcp, and icmp protocols are configurable.

Each protocol, there are different statuses in which a flow can be found:

TCP protocol (11):

`New`

`Established`

`Closed`

UDP (10) and ICMP protocols (12):

`New`

`Established`

`Emergency_new`, `Emergency_established` and `Emergency_closed` are the emergency modes for the three states of TCP, UDP, and ICMP.

5.6.14.4.2. Default configuration of the `Flow timeouts` section

The default configuration used depending on the protocol (all values are in seconds):

Protocol	New	Established	Closed	Emergency new	Emergency established	Emergency closed
udp	30	300		10	100
tcp	30	300	0	10	100	0
icmp	30	300		10	100
default	30	300		10	100

5.6.14.5. `File rule management` section of the `Config Gcaps profiles` menu

5.6.14.5.1. Information on the `File rule management` section

The `Files rules management` section enables configuring the file types that the probe will retrieve for a given protocol.
The supported protocols are: FTP, HTTP, HTTP2, NFS, SMB, SMTP.
Files are reconstructed and then saved to disk with metadata that includes information such as:

Time stamp
Source/destination IP address
Protocol
Source/destination port
Size
md5sum, etc.

File extraction works in parallel with the Sigflow signatures defined for these same protocols.

Each line in the `Files rules management` section corresponds to an extraction rule for a file type.

Note

Too many file extraction rules can have a significant impact on the performance of the GCap.

Note

Changes to this section require the GCap configuration to be backed up and implemented via the `Apply` button.

5.6.14.5.2. Description the `File rule management` section

This section includes the following items:

Item

Function

1

Defining a file rule: it includes the following fields:

The `Protocole` field (3) enables selecting the protocol for which the file will be extracted from among FTP, HTTP, HTTP2, NFS, SMB, SMTP.

The `Type` field (4) enables defining the way Sigflow recognizes the file. The choices are available:

The `extension` choice: taking into account the file extension

The `filemagic` choice: taking into account the type of the extracted file. The `file` command under Linux enables obtaining this information. See note below.

The `Value` field (5): identifier of the file that will be rebuilt according to the previously configured type

if the choice `extension` in the type field is selected then this extension must be specified, e.g.:

for a Javascript file, enter `js`

for a Windows executable file, enter `exe`

if the choice `filemagic` in the type field is selected then this information must be specified, e.g.:

for a javascript file, enter `Javascript`

for a windows executable file, enter `PE32 executable`

The `ENABLE` choice (8): selector to activate this rule

The `DELETE` choice (9) delete this line

2

GCAP selected

6

`ADD FILE RULE` button adds a new rule. In the window that opens, fill in the information - Protocol, Type, Value, Enable bullet...

7

`LOAD CONFIG` button enables importing a pre-configured configuration file. (Excel type file)

9

`DOWNLOAD TEMPLATE` button: enables a template configuration file to be uploaded and populated. See DOWNLOAD TEMPLATE note.

11

`Apply` button enables the settings to be saved and makes the rulesets available to GCaps
Note

The `file` command under Linux enables obtaining this information.
shell
xxx@debian:~$ file ~/Téléchargements/xxx.exe
/home/xxx/Téléchargements/xxx.exe: PE32 executable (console) Intel 80386, for MS Windows

Note

It is strongly recommended to use the filemagic type. This is more accurate because it is based on the file's content and not on its extension. A file is therefore reconstructed for what it really is.

Note

DOWNLOAD TEMPLATE

The `DOWNLOAD TEMPLATE` button downloads a .csv file to the user's PC.

This template file contains column names and titles enabling the user to create a custom configuration file.

The rules displayed are those of the profile previously loaded into the GCap.

This was done by:

Use the `GCaps pairing and status` command in the WEB UI
Select a default profiles such as Minimal, Balanced, MPL, Paranoid, and Intuitio

The default profile is loaded into the GCap when it is paired with the GCenter.

If necessary, it is possible to reload or change a profile on an already paired GCap with the `Reset to default configuration` command.

5.6.14.5.3. Rules applied depending on the GCap profile used

Protocols	Type	Values	Minimal	Balanced	LPM	Paranoid	Intuitio
ftp	filemagic	7-zip archive data	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	COM executable	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	Composite Document File V2	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	DOS batch	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	ELF	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	Java archive data	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	Javascript	Disabled	Enabled	Disabled	Enabled	Enabled
ftp	filemagic	MS Windows shortcut	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	MS-DOS executable	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	Mach-O	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	Macromedia Flash	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	Microsoft Cabinet archive data	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	Microsoft Excel	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	Microsoft OOXML	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	Microsoft Office Document	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	Microsoft PowerPoint	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	Microsoft Word	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	Node.js script text	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	OS/2 REXX batch file	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	OpenDocument	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	PDF document	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	PE32 executable	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	PE32 executable (DLL)	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	PE32+ executable	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	POSIX tar archive	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	RAR archive data	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	Zip archive data	Disabled	Enabled	Enabled	Enabled	Enabled
ftp	filemagic	gzip compressed data	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	7-zip archive data	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	COM executable	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	Composite Document File V2	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	DOS batch	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	ELF	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	Java archive data	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	Javascript	Disabled	Enabled	Disabled	Enabled	Enabled
http	filemagic	MS Windows shortcut	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	MS-DOS executable	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	Mach-O	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	Macromedia Flash	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	Microsoft Cabinet archive data	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	Microsoft Excel	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	Microsoft OOXML	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	Microsoft Office Document	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	Microsoft PowerPoint	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	Microsoft Word	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	Node.js script text	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	OS/2 REXX batch file	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	OpenDocument	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	PDF document	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	PE32 executable	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	PE32 executable (DLL)	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	PE32+ executable	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	POSIX tar archive	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	RAR archive data	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	Zip archive data	Disabled	Enabled	Enabled	Enabled	Enabled
http	filemagic	gzip compressed data	Disabled	Enabled	Enabled	Enabled	Enabled
nfs	filemagic	7-zip archive data	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	COM executable	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	Composite Document File V2	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	DOS batch	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	ELF	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	Java archive data	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	Javascript	Disabled	Disabled	Disabled	Disabled	Enabled
nfs	filemagic	MS Windows shortcut	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	MS-DOS executable	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	Mach-O	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	Macromedia Flash	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	Microsoft Cabinet archive data	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	Microsoft Excel	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	Microsoft OOXML	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	Microsoft Office Document	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	Microsoft PowerPoint	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	Microsoft Word	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	Node.js script text	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	OS/2 REXX batch file	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	OpenDocument	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	PDF document	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	PE32 executable	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	PE32 executable (DLL)	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	PE32+ executable	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	POSIX tar archive	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	RAR archive data	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	Zip archive data	Disabled	Disabled	Disabled	Enabled	Enabled
nfs	filemagic	gzip compressed data	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	7-zip archive data	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	COM executable	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	Composite Document File V2	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	DOS batch	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	ELF	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	Java archive data	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	Javascript	Disabled	Disabled	Disabled	Disabled	Enabled
smb	filemagic	MS Windows shortcut	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	MS-DOS executable	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	Mach-O	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	Macromedia Flash	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	Microsoft Cabinet archive data	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	Microsoft Excel	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	Microsoft OOXML	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	Microsoft Office Document	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	Microsoft PowerPoint	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	Microsoft Word	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	Node.js script text	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	OS/2 REXX batch file	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	OpenDocument	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	PDF document	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	PE32 executable	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	PE32 executable (DLL)	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	PE32+ executable	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	POSIX tar archive	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	RAR archive data	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	Zip archive data	Disabled	Disabled	Disabled	Enabled	Enabled
smb	filemagic	gzip compressed data	Disabled	Disabled	Disabled	Enabled	Enabled
smtp	filemagic	7-zip archive data	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	COM executable	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	Composite Document File V2	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	DOS batch	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	ELF	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	Java archive data	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	Javascript	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	MS Windows shortcut	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	MS-DOS executable	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	Mach-O	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	Macromedia Flash	Disabled	Enabled	Enabled	Enabled	Enabled
smb	filemagic	Microsoft Cabinet archive data	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	Microsoft Excel	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	Microsoft OOXML	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	Microsoft Office Document	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	Microsoft PowerPoint	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	Microsoft Word	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	Node.js script text	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	OS/2 REXX batch file	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	OpenDocument	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	PDF document	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	PE32 executable	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	PE32 executable (DLL)	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	PE32+ executable	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	POSIX tar archive	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	RAR archive data	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	Zip archive data	Disabled	Enabled	Enabled	Enabled	Enabled
smtp	filemagic	gzip compressed data	Disabled	Enabled	Enabled	Enabled	Enabled

Note

The filemagic that can be used in the `Value` field are those present in the Libmagic library.

A filemagic not present in this library will not be functional.

5.6.14.6. `Packet filters` section of the `Config Gcaps profiles` menu

5.6.14.6.1. Information on the `Packet filters` section

The `Packet filters` section enables specific traffic to be ignored directly at the GCap network card level.
This feature enables the GCap to avoid overloading the GCap with "unnecessary" traffic such as encrypted streams, backup streams, etc., or traffic that may cause the cpus to overload such as Elephant Flow, Miles Flow, etc.
The selection of traffic to be ignored is based on vlan, network prefix, protocol, and network ports.

Packet filtering is only active:

For active interfaces monX on the GCap
With an MTU of less than 3000 bytes
With the monitoring engine enabled

5.6.14.6.2. Description the `Packet filters` section

This section includes the following items:

Item	Function
1	GCAP selected
2	Defining a packet filtering rule: it includes the following fields: The `Interface` field (3) indicates the capture interface to which the filter applies: mon0, mon1, mon2, mon3 or monvirt The `LAN` field (4) indicates the VLAN number The `PREFIX` field (5) indicates the IP address filtering to be ignored The `PROTOCOL` field (6) indicates the ignored protocol: TCP UDP Tunnel protocols (AH, ESP, GRE, L2TP) All TCP All UDP All TCP and UDP All AH ESP GRE L2TP The `PORT RANGE` choice (7) indicates the filter to ignore only the selected port or port range. Only available for the protocols: TCP UDP The `ENABLE` choice (10): selector to activate this rule The `DELETE` choice (12): delete this line
8	The `CHANGE NATIVE VLAN` button enables modifying the default vlan for the various active interfaces on the GCap. By default, this vlan is 1 for each interface.
9	`ADD FILTER` button displays a window for creating a new filter
11	`Apply` button enables the settings to be saved and makes the filters available to GCaps

Note

If an interface can use `Packet filtering` then a line is displayed in the filter list with the various fields empty.