NetFort Advertising

NetFort Tips & Tricks – How to exclude some of your network traffic from LANGuardian monitoring

20 February 2019 Forum By: Saleha Gulzar

A customer recently contacted us with a situation: “We have an IP camera system and our security department is constantly monitoring the feeds, this is traversing the network and as a result is skewing the results on the dashboard. There is heavy traffic, but this is generated by the IP camera system.”

They then asked the following question: “Is there a way to filter or exclude these systems from LANGuardian? It’s on a separate VLAN, but the traffic is traversing through the same ports that are
being monitored.”

The answer is yes, it is possible.

The customer in question wanted to exclude camera traffic, but you can use the same technique to exclude any traffic you do not want to monitor. Reducing the amount of traffic monitored by LANGuardian improves database efficiency and overall performance. LANGuardian implements a Berkeley Packet Filter (BPF) to exclude or include the traffic you want it to monitor.

The steps involved in setting up a BPF filter are:

  1. Go to the LANGuardian Configuration page.
  2. In the System Status section of the Configuration page, click Check the sensor status.
  3. Click the Settings link for the sensor you want to modify.
  4. Click Edit Sensor Settings.
  5. Find the setting BPF Filter For The Traffic Monitor/BPF traffic filter for IDS.
  6. Specify a filter (see some examples below).
  7. Click Save.

The following examples show some of the most common BPF filters:

  • To exclude one host: not host x.x.x.x
  • To exclude multiple hosts: not host (x.x.x.x or x.x.x.x or x.x.x.x)
  • To exclude one port: not port x
  • To exclude traffic belonging to a certain host on a VLAN: not (vlan and host x.x.x.x)
  • To exclude traffic between host A and host B: not (host A and host B)
  • To exclude one sub net: not net x.x.x.x/mask
  • To capture only traffic to and from a sub net: net x.x.x.x/mask
  • To capture only traffic to and from a host: host x.x.x.x
  • To capture only traffic to and from a sub net: net x.x.x.x/mask

Please contact us if you would like to know more about configuring BPF filters to reduce the amount of traffic monitored by LANGuardian. If you have questions about LANGuardian itself, please contact support@netfort.com