NetFort Tips & Tricks - How to exclude some of your network traffic from LANGuardian monitoring

  • 2
  • Idea
  • Updated 5 years ago
  • (Edited)
A customer recently contacted us with a quick question,
"We have an ip camera system and our security department is constantly monitoring the feeds, this is traversing the network and as a result is skewing the results on the dashboard. There is heavy traffic, but this is generated by the ip camera system".

"Is there a way to filter or exclude these systems from LANGuardian? Its on a
separate vlan, but the traffic is traversing through the same ports that are
being monitored".

The answer is yes, it is possible. The customer in question wanted to exclude camera traffic, but you can use the same technique to exclude any traffic you do not want to monitor. Reducing the amount of traffic monitored by LANGuardian improves database efficiency and overall performance.
LANGuardian implements Berkeley Packet Filter (BPF) to exclude or include the traffic you want LANGuardian to monitor. The steps involved in setting up a BPF filter are:

1. Go to the LANGuardian Configuration page.
2. In the System Status section of the Configuration page, click Check the sensor status.
3. Click the Settings link for the sensor you want to modify.
4. Click Edit Sensor Settings.
5. Find the setting BPF Filter For The Traffic Monitor / BPF traffic filter for IDS.
6. Specify a filter (see some examples below).
7. Click Save.

The following examples show some of the most common BPF filters.
  • To exclude one host - not host x.x.x.x
  • To exclude multiple hosts - not host (x.x.x.x or x.x.x.x or x.x.x.x)
  • To exclude one port - not port x
  • To exclude traffic belonging to a certain host on a VLAN - not (vlan and host x.x.x.x)
  • To exclude traffic between host A and host B - not (host A and host B)
  • To exclude one subnet - not net x.x.x.x/mask
  • To capture only traffic to and from a subnet - net x.x.x.x/mask
  • To capture only traffic to and from a host - host x.x.x.x
  • To capture only traffic to and from a subnet - net x.x.x.x/mask‏

Please contact us if you would like to know more about configuring BPF filters to reduce the amount of traffic monitored by LANGuardian. And, as always, if you have questions about any aspect of LANGuardian, please contact us on any time.

Photo of Aisling Brennan

Aisling Brennan, Official Rep

  • 393 Posts
  • 8 Reply Likes

Posted 5 years ago

  • 2

Be the first to post a reply!