The file contains entries of the form:
Below follows a brief discussion of the usage of each keyword. Your firestorm package should also include a sample configuration file which provides a good commentary.
pcap - Most people will want to capture from the live network with libpcap. This plugin has only one option 'if' which is used to specify which interface to listen on. (eg: if='eth0' or if='any' to listen on all interfaces).
pcapfile - Firestorm(8) can also capture from libpcap files captured, for example by tcpdump. This plugin also has only one argument 'file' to specify the filename. (eg: file='./captures/mynetwork.cap').
linux - Firestorm(8) has the ability to support high-speed OS specific capture plugins. Use this plugin if you run a recent Linux kernel with mmap() packet socket support. This plugin takes two options 'if' and 'blocks' where 'if' is an interface to listen on and blocks is a number specifying how many blocks to use in the ringbuffer. Generally the higher this number the more memory is used and the less packets will be dropped - you can look in the firestorm log output to get an idea of how much memory (in KB) it translates to. (eg: if='any' blocks=128).
tcpdump - This plugin is a hi-speed alternative to the pcapfile plugin and doesn't depend on libpcap. This plugin is recommended over and above pcapfile. It takes the same arguments (eg: file='./myfile.cap').
dir - Sets the location of the log spool directory.
size - Sets the upper bounds on the size of a log file before rotating. Set to zero to disable filesize based log rotation.
minutes - Sets the maximum size that a logfile can grow to before being rotated. Set to zero to disable time based log rotation.
stormwall - Must be one of 'none', 'wait' or 'fail'. Tells firestorm how to notify stormwall of new logfiles becoming available. 'none' disables stormwall notification, 'wait' tells firestorm to wait for stormwall to start before capturing packages and 'fail' tells firestorm to immediately fail if stormwall isn't running.
buf - How large to set the output buffer, in bytes. Set to zero for maximum reliability. The higher this value, the higher the performance but the lower the reliability. The reliability hit can be ameliorated by log rotation size or time limit. Rotated logfiles are *guaranteed* written to disk.
Man page by Gianni Tedesco <gianni at scaramanga dot co dot uk>
Copyright (C) 2002 by Gianni Tedesco <gianni at scaramanga dot co dot uk>