Collector Placement Recommendations

The deployed collector components passively collect and monitor the HTTP and SMTP sessions, analyze them and generate alerts based on detection. Designated user groups can configure properties/options for each of these deployed collectors assigned to them by adding the desired integration features available from the UI.

1. Go to Administration > Collection, click View Collection Properties corresponding to a collector.
2. Click Add Collector Property.
3. Select a collector property option from the drop-down menu and specify a corresponding property value.
4. After adding all the required integration features to the collector properties, click Save Collection Properties.

Note: You can grant permissions to specific user groups which will control who can add and/or modify collection properties on each of the deployed collectors. You can also grant permissions to the desired user groups to view traffic related to specific network subnets or network VLANs on the Analysis and Dashboard pages. Refer to the Collector Option Permissions, Subnet View Permissions, and VLAN Permissions sections for step-by-step instructions on assigning these permissions.

Collection Options Requirements

Process VLAN Traffic = True

This is required for collection of traffic that has more than 1 VLAN tag. Select Process Double VLAN-Tagged Traffic only if there is more than one VLAN ID per packet. If captures have only one VLAN ID per packet, do not select this option.

Vlan depth auto detection

[2015-03-25 00:34:14] INFO vlan.pm 303 > Ethernet peek: /usr/sbin/tcpdump -nne -i em2 -c1 2>/dev/null

Normal Ethernet Frame (Note vlan 1010)

[2015-03-25 00:34:14] INFO vlan.pm 303 > capture sample: 00:34:14.499387 00:23:e9:17:f6:01 > 00:1b:17:00:02:26, ethertype 802.1Q (0x8100), length 335: vlan 1010, p 3, ethertype IPv4, 214.22.92.28.443 > 139.232.207.254.57119: Flags [P.], seq 1377462982:1377463259, ack 4125812639, win 30, length 277

A typical Ethernet Frame (Note vlan 1010 and vlan 2020)

[2015-03-25 00:34:14] INFO vlan.pm 303 > capture sample: 00:34:14.499387 00:23:e9:17:f6:01 > 00:1b:17:00:02:26, ethertype 802.1Q (0x8100), (length 335: vlan 1010, vlan 1010), p 3, ethertype IPv4, 214.22.92.28.443 > 139.232.207.254.57119: Flags [P.], seq 1377462982:1377463259, ack 4125812639, win 30, length 277

Capture log: /opt/inquest/logs/capture.log

Parse log(s): /opt/inquest/logs/inquestctrl_{http,smtp}.log

If no traffic is being written to disk in /opt/inquest/pcaps/{http,smtp}, look in the capture log for frame header details and the command(s) used to collect traffic. If the parsers are not extracting files, similar details regarding vlan information may be presented there as well.