Self Configuring Network Monitor (SCNM) Manual

Node:Capture Host Software, Previous:Port Usage, Up:System Admin Guide

Software Installation

SCNM uses two processes: fcd (filter control daemon) and pcapd (packet capture daemon), to set up a filter for a specific path and monitor its traffic. These are both started using the daemon.bat script.

     daemon.bat start interface {-cd cache_dir -dddi | -dddd} [-bi ] [-cl #]

This SCNM capture daemons should be started at boot time, using the script /usr/local/etc/rc.d/z-scnmd.sh To start scnm daemons with default options, do:

     /usr/local/etc/rc.d/z-scnmd.sh start

For example, to start the capture daemons, watching for traffic on interface sk0 in both directions:

     daemon.bat start sk0 -cd . -dddi -bi

Without specifying the interface "sk0", ie., "daemon.bat start", the daemon will monitor the primary interface configured.

Command line options:

-cd cache directory: used for caching data files between pcapd and fcd. This is for the -dddi method, and the cache directory must be on a large partition that has at least 60 MB/s disk I/O.
-dddd daemon deliver data directly to client (synch delivery method). This only works if the NIC (usually fxp0) is on a dedicated network.
-dddi daemon deliver data indirectly to client (asynch delivery method). This is the default option.
-bi bi-directional capture. Without this option, capture daemon will only monitor the traffic from source to the destination. This is the default.
-cl capture length: "-cl 0" tells the daemon to record/send variable length data records. The varible length mode is disabled in both -dddd and -dddi methods. The default length is 80 bytes, minimum is 28, and maximum is 128. The default capture length of 80 bytes to suitable for most types of TCP analysis. To ensure capture of the entire TCP header, including all TCP options, use "-cl 86". A 52-byte capture length will be enough for simple TCP options.

To stop the capture daemons:

     daemon.bat stop

To see if any SCNM daemon is running, and what options they are using:

     daemon.bat stat

The current SCNM access control list (ACL) method is controlled by fcd as follows. When fcd starts, it looks for a default configuration file - called act_auth.conf (activation authorization) for a list of host names or IP addresses. If this list exists, monitoring data may only be forwarded to these hosts. If no configuration file is present or the file is empty, then the ACL will be empty and data is allowed to be sent to the source host (activation host) only.

An alternative configuration file can be specified on the fcd command via the -secu flag. The configuration (authorization) can be changed dynamically. The system administrator can modify act_auth.conf to add or delete a host, then send a HUP signal to the fcd daemon to reload the ACL.