-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathnetscope.example.toml
More file actions
87 lines (74 loc) · 2 KB
/
netscope.example.toml
File metadata and controls
87 lines (74 loc) · 2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# Example NetScope config template.
# CLI flags override these values when explicitly provided.
# For field descriptions and authoritative defaults, see docs/configuration.md.
[capture]
# interface = "en0"
# read_pcap = "/path/to/trace.pcap"
promiscuous = true
snaplen = 65535
timeout_ms = 100
buffer_size_mb = 0 # 0/omit = libpcap default buffer size
immediate_mode = false
# filter = "tcp port 443"
[run]
count = 0
[output]
# Omit keys or set to "" to disable file outputs
write_pcap = ""
write_pcap_rotate_mb = 0 # >0 enables size-based pcap rotation (MiB)
write_pcap_max_files = 0 # keep newest N rotated segments; requires rotate_mb > 0
export_json = ""
export_csv = ""
expired_flows_jsonl = ""
hex_dump = false
quiet = false
[flow]
timeout_secs = 60.0
max_flows = 100000
[stats]
enabled = false
interval_ms = 1000
top_flows = 0
[analysis]
rtt = true
retrans = true
out_of_order = true
# Set all three to false to activate compact scale-mode flow storage.
# Omit or set to "" to disable alert file
alerts_jsonl = ""
[analysis.anomalies]
enabled = false
[analysis.anomalies.syn_flood]
enabled = true
window_secs = 5.0
syn_threshold = 200
unique_src_threshold = 50
cooldown_secs = 10.0
[analysis.anomalies.port_scan]
enabled = true
window_secs = 10.0
unique_ports_threshold = 25
unique_hosts_threshold = 10
cooldown_secs = 30.0
[web]
enabled = false
bind = "127.0.0.1"
port = 8080
tick_ms = 1000
top_n = 10
packet_buffer = 2000 # packet-store preallocation is internally capped at 8192
sample_rate = 1
payload_bytes = 256
[web.tls]
enabled = false
cert_path = "" # PEM certificate path (required when enabled)
key_path = "" # PEM private key path (required when enabled)
[web.auth]
enabled = false
username = ""
password = "" # optional inline password (use either this or password_file)
password_file = "" # optional file containing only the password
[pipeline]
enabled = false
workers = 0 # 0 = auto-detect (half of CPU count, clamped 1..8)
channel_capacity = 4096 # per-worker queue size; config-file only