Skip to content

Adjusting interface monitoring

The default settings for monitoring network interfaces should be sufficient for the majority of users. The interfaces monitored and how they can be changed if required are described here.

Windows Network Monitoring

All physical and virtual interfaces are monitored for network traffic.

The default settings can not currently be changed.

Linux and macOS Network Monitoring

macOS Default

By default the SenseOn endpoint will monitor all interfaces which start with

  • en
  • utun
  • ppp

Linux Default Settings

By default the SenseOn endpoint will monitor all interfaces which start with:

  • tun
  • bond
  • eth
  • en
  • wl
  • ww

Adjusting interface monitoring

  1. Stop the endpoint sensor service using the command systemctl stop senseon-seed
  2. Confirm the service is stopped with the command systemctl status senseon-seed
  3. Rename the file /etc/senseon-see/epns.json to /etc/senseon-see/epns.json.bak
  4. Copy the configuration file below to /etc/senseon-see/epns.json
  5. Start the endpoint sensor service using the command systemctl start senseon-seed

Configuration file

{
    "tcp_max_flow_age_ms" : 86400000,
    "tcp_max_idle_flow_age_ms" : 1200000,
    "tcp_max_bytes" : 524288,
    "tcp_max_packets" : 512,
    "tcp_max_tracked_flows" : 10000,
    "udp_max_flow_age_ms" : 3600000,
    "udp_max_idle_flow_age_ms" : 300000,
    "udp_max_bytes" : 131072,
    "udp_max_packets" : 256,
    "udp_max_tracked_flows" : 10000,
    "acquisition_work_queue_size" : 10000,
    "enable_metrics" : true,
    "debug_output" : false,
    "td_interval_s" : 45,
    "interface_pattern" : "<interface name goes here>"
}

Replace the text <interface name goes here> with the name of the interface.

💡 Regular expression support: The interface name supports regular expression in ECMAScript grammar. As a result, comma-separated values will not be interpreted as lists of interfaces and To match multiple interfaces, use the | operator, for example: (eth0|eth1)

⚠ Traffic deduplication: We strongly recommend situations which will involve analysing duplicate traffic due to additional processing cost. Traffic isn’t deduplicated on the endpoint, although duplicate TCP traffic will be detected and deduplicated on the analysis platform in most cases (e.g. because of clashing sequence numbers).