Capture Settings, Network Options

Top  Previous  Next

Capture Settings are set-up separately for each capture channel.  Once these settings have been specified, OK or Apply should be clicked.  The Network Options tab has separate SSL/TLS settings for TCP Server and TCP Client, and some rarely used settings common to all network protocols.

 

cm5-1set-netopt

 

 

SSL/TLS Capture TCP Server

TCP Server and TCP Multi Server channels must have a valid SSL/TLS certificate, or they will not start, see SSL/TLS and Certificates. The certificate may be shared with other channels or applications.  Note the following options are only enabled if this network channel was configured for SSL in Common Settings, Network Channels, this is a change from ComCap4.  If this channel also use Echo to TCP Server with SSL/TLS, separate certificate settings are on the Echo tab.

 

SSL Server Certificate or Bundle with Key and Inters

Specifies the SSL/TLS server X509 certificate file, which may contain one or more certificates in various formats and a private key. Sometimes separate files are used for server certificate, private key and optional intermediate certificates, but using a bundle keeps them together for simplicity. The two bundle formats supported are PEM (which contains base64 ASCII) and PFX or P12 which is PKC12 binary format.  Certificate only files may be PEM, DER, or P7 format. Sometimes PEM files have a CER extension.

 

If Automatic Certificate Ordering is enabled or Create Local SSL Certificate (see below) is used, this field may contain just a directory path for certificates, and ComCap will create a file name automatically using the Certificate Domain Name (see below) when one of the buttons below is clicked.

 

If this field is already completed, ComCap will display the certificate content in a scrolling window on this tab.  The most important line is 'Issued to (CN)' which show the certificate Subject Common Name or domain name, which should match the 'Certificate Domain Name' field on this tab.  Some certificates are valid for more than one domain name which are listed in 'Alt Domains (SAN)' Subject Alternate Names, or wildcard certificates where an * symbol matches any host (ie *.comcap.co.uk would match www,comcap.co.uk, test.comcap.co.uk, etc).

 

Note ComCap checks hourly for any new certificate files being available and will automatically load them without needing to restart the channel, provided the file names are unchanged.

 

SSL Server Private Key and Password

If the SSL Server Certificate was not a bundle including a private key, allows a SSL Server Private Key X509 PEM file to be specified, see SSL/TLS and Certificates which must match the Servr Certificate.  If the private key is encrypted, the password should be specified here, this also applies to bundles.  

 

Certificate Domain Name

Defaults to the PC host name which may include a domain, but needs to be the Domain Name assigned to the IP address of the TCP Server, for which the SSL/TLS server certificate has been issued.  In the screen capture above, the Domain Name is test6.comcap.co.uk and this is the name that should be used to configure remote TCP Clients to send data to this server.  Note the Domain Name can not be easily validated by ComCap, it is set-up in a DNS Server somewhere, not on this PC.  For internal systems with internally issued certificates, the Domain Name may simply be the computer host name.

 

SSL Certificate Intermediates

If the SSL Server Certificate was not a bundle including intermediates, allows a default SSL Certificate Intermediate X509 PEM file to be specified, see SSL/TLS and Certificates. Most server certificates are signed by the supplier using an intermediate certificate, which is in turn signed by a trusted root CA certificate, so this intermediate needs to be supplied to allow the chain to be verified against a trusted root.

 

SSL Server Security Level

Specifies the SSL security level to ensure that minimum SSL/TLS security standards are enforced. The options are:

 

None

All protocols and ciphers, any key lengths

SSLv3 Only

SSL3 only, all ciphers, any key lengths, MD5 hash

Backward Ciphers, TLS1 or Later

TLSv1 or later, backward ciphers, RSA/DH private keys => 1,024 bits, ECC keys => 160 bits, no MD5, no SHA1 hash

Intermediate Ciphers, TLS1.1 or Later

TLSv1.1 or later, intermediate ciphers, RSA private keys => 2,048 bits, ECC keys => 224 bits, no RC4 ciphers, no SHA1 hash

Intermediate Ciphers FS, TLS1.1 or Later

TLSv1.1 or later, intermediate ciphers, RSA private keys => 2,048 bits, ECC keys => 224 bits, no RC4 ciphers, no SHA1 hash, Forward Security forced

High 112 bit Ciphers, TLS1.2 or Later

TLSv1.2 or later, high ciphers, RSA private keys => 2,048 bits, ECC keys => 224 bits, no RC4 ciphers, no SHA1 hash - default.

High 128 bit Ciphers, TLS1.2 or Later

TLSv1.2 or later, high ciphers, RSA private keys => 3,072 bits, ECC keys => 256 bits, Forward Security forced

High 192 bit Ciphers, TLS1.2 or Later

TLSv1.2 or later, high ciphers, RSA private keys => 7,680 bits, ECC keys => 384 bits, Forward Security forced

TLSv1.2 or Earlier

TLSv1.2 or earlier, intermediate ciphers, RSA private keys => 2,048 bits, ECC keys => 224 bits, no RC4 ciphers, no SHA1 hash, Forward Security forced

TLSv1.3 Only

TLSv1.3 only, intermediate ciphers, RSA private keys => 2,048 bits, ECC keys => 224 bits, no RC4 ciphers, no SHA1 hash, Forward Security forced

 

While using the highest level of security is always best, this may prevent older clients connecting to ComCap.  If clients attempt to connect with the latest TLSv1.3 protocol but fail, try setting security to 'TLSv1.2 or Earlier', the latest is not always the best.  Note that the server SSL certificate must have a key length of the minimum the security level requires, or capture will not start.  At the time of writing, the recommended default is 'High 112 bit Ciphers, TLS1.2 or Later', but this may change to 128 bit in a few years.

 

Create Local SSL Certificate

Allow a self signed local certificate to be immediately created for the Certificate Domain Name specified above, note doing this will replace any certificate files specified above. The X509 certificate will be created with the Private Key Type and Sign Digest specified in Common Settings, Network Options. Clicking the button will display a confirmation dialog, before creating self signed certificate bundles in PEM and PFX formats, with an encrypted private key with the specified password above, or 'password' if left blank.   The file name field will be updated with the new file names, and the certificate details displayed.  The SSL Server Certificate field must have at least a directory path specified, which will be used for system created file names. Details about certificate creation are logged similarly to the following:

 

17:13:26 Web Server: Creating Self Signed SSL Certificate for pc20.magenta

17:13:26 Web Server: Saved PEM Bundle with Certificate and Key: C:\certificates\local\pc20_magenta-bundle.pem

17:13:26 Web Server: Saved PKCS12 Bundle with Certificate and Key: C:\certificates\local\pc20_magenta.pfx

17:13:26 Web Server: Finished Creating Self Signed SSL Certificate for pc20.magenta

17:13:26 Web Server: Successfully Created Certificate: C:\certificates\local\pc20_magenta-bundle.pem

17:13:26 Web Server: Issued to (CN): pc20.magenta, (O): Magenta Systems Ltd, (OU): ComCap Self Signed Certificate

Alt Domains (SAN): pc20.magenta

Issuer: Self Signed

Expires: 13/02/2030 17:13:26, Signature: sha256WithRSAEncryption

Valid From: 06/02/2020 17:13:26, Serial Number: 327f33fa2e19f816

Fingerprint (sha256): 0ad5a7491c3af312fdf9ff433602ece89621044bdb135ae14f95d56befa344af

Public Key: RSA Key Encryption 2048 bits, 112 security bits

 

Self signed local certificates allow SSL TCP Server channels to start, but any clients connecting to the server may get a warning or error message saying the certificate is not trusted, so such warnings will need to be disabled.  For internal capture, such errors are usually acceptable.

 

SSL Certificate Automatic Public Ordering

If automatic free SSL/TLS  X509 certificate acquisition and installation from Let's Encrypt has been specified in Common Settings, Network Options, ticking this box will enable it for this channel. The SSL Server Certificate field must have at least a directory path specified, which will be used for system created file names. The Certificate Domain Name must be available on the public internet and this TCP Server available from the public internet.  Before issuing a certificate, Let's Encrypt will connect to a web server ComCap runs internally on port 80 of the same IP address used by the capture or echo channel, so public DNS must point to this IP address and there should not be any other web servers using it for validation will fail. The internal web server usually only runs for a few seconds during the certificate ordering process and while running ignores any requests other than from Let's Encrypt so is not a security risk.

 

Order Public Certificate Now

Let's Encrypt certificates only have a life of 90 days, and ComCap will automatically order a replacement before expiry, but a certificate may also be ordered here immediately for the Certificate Domain Name specified above. Clicking the button will display a confirmation dialog, before starting the order process, finally creating certificate bundles in PEM and PFX formats, with an encrypted private key with the specified password above, or 'password' if left blank. The file name field will be updated with the new file names, and the certificate details displayed.  The SSL Server Certificate field must have at least a directory path specified, which will be used for system created file names. Details about certificate creation are logged similarly to the following:

 

19:20:05 Test9 Server 29105 SSL: Manually Starting to Order SSL Certificate for test9.comcap.co.uk

19:20:05 Test9 Server 29105 SSL: Opened Supplier Account for: ACME V2 by Let's Encrypt, Protocol: AcmeV2, From: D:\weblogs\acme-comcap5

19:20:05 Test9 Server 29105 SSL: Number of Domain Challenges Found: 0

19:20:05 Test9 Server 29105 SSL: Domain Not Found in Database: test9.comcap.co.uk

19:20:05 Test9 Server 29105 SSL: Certificate Domain Not Found: test9.comcap.co.uk

19:20:05 Test9 Server 29105 SSL: Checking Let's Encrypt Certificate Order for: test9.comcap.co.uk

19:20:05 Test9 Server 29105 SSL: Number of Domain Challenges Found: 0

19:20:05 Test9 Server 29105 SSL: Challenge Web Server Started on: Socket 1 State: Listening Only IPv4 on 192.168.1.123 port 80

19:20:05 Test9 Server 29105 SSL: Saved Domain to Database: test9.comcap.co.uk

19:20:05 Test9 Server 29105 SSL: Checking Let's Encrypt Certificate Order for: test9.comcap.co.uk

19:20:05 Test9 Server 29105 SSL: Challenge Web Server Already Running

19:20:05 Test9 Server 29105 SSL: Order Checking Passed: test9.comcap.co.uk

19:20:05 Test9 Server 29105 SSL: Saved Domain to Database: test9.comcap.co.uk

19:20:05 Test9 Server 29105 SSL: Starting Let's Encrypt Certificate Order for: test9.comcap.co.uk

19:20:05 Test9 Server 29105 SSL: New Sequential Order Number: 1017

19:20:06 Test9 Server 29105 SSL: Starting ACME Challenge for: test9.comcap.co.uk

19:20:06 Test9 Server 29105 SSL: Challenge Requested for: test9.comcap.co.uk

19:20:06 Test9 Server 29105 SSL: ACME Certificate Order Placed, Automatic Collection Enabled

19:20:06 Test9 Server 29105 SSL: SSL Certificate Order Placed OK, Order Should be Collected within a Couple of Minutes

19:20:06 Test9 Server 29105 SSL: Challenge Web Server Client Connected from Address 52.15.254.228

19:20:06 Test9 Server 29105 SSL: Challenge Web Request, Host: test9.comcap.co.uk, Path: /.well-known/acme-challenge/pM3zGjFzfdHpRleFF9oFeyJ6_TbuYN3-2Z0B9qyEPOU, Params:

19:20:06 Test9 Server 29105 SSL: Challenge Web Server Response Sent for: test9.comcap.co.uk

19:20:06 Test9 Server 29105 SSL: Challenge Web Server Client Disconnected

19:20:20 Test9 Server 29105 SSL: Checking Acme Challenge for: test9.comcap.co.uk

19:20:20 Test9 Server 29105 SSL: Challenge Validated: OK, URL: http://test9.comcap.co.uk/.well-known/acme-challenge/pM3zGjFzfdHpRleFF9oFeyJ6_TbuYN3-2Z0B9qyEPOU, IP address ["217.146.115.85"]  for: test9.comcap.co.uk

19:20:21 Test9 Server 29105 SSL: Collecting Let's Encrypt SSL certificate for: test9.comcap.co.uk

19:20:21 Test9 Server 29105 SSL: Generating Private and Public Key Pair, Please Wait

19:20:21 Test9 Server 29105 SSL: Generating Certificate Signing Request

19:20:21 Test9 Server 29105 SSL: Saved private key file: D:\weblogs\acme-comcap5\LE-2253254905-test9_comcap_co_uk-privatekey.pem

19:20:21 Test9 Server 29105 SSL: Saved certificate signing request file: D:\weblogs\acme-comcap5\LE-2253254905-test9_comcap_co_uk-request.pem

19:20:22 Test9 Server 29105 SSL: Certificate download URL: https://acme-v02.api.letsencrypt.org/acme/cert/04f74d2c3b78933049189790c4320a1fc41c

19:20:22 Test9 Server 29105 SSL: Certificate serial: 04f74d2c3b78933049189790c4320a1fc41c

19:20:22 Test9 Server 29105 SSL: Saving SSL Certificate Files for: test9.comcap.co.uk

19:20:22 Test9 Server 29105 SSL: Certificate Subject Alt Names (SAN): test9.comcap.co.uk

19:20:22 Test9 Server 29105 SSL:

Certificate Details:

Issued to (CN): test9.comcap.co.uk

Alt Domains (SAN): test9.comcap.co.uk

Issued by (CN): Let's Encrypt Authority X3, (O): Let's Encrypt

Expires: 06/05/2020 18:20:21, Signature: sha256WithRSAEncryption

Valid From: 06/02/2020 18:20:21, Serial Number: 04f74d2c3b78933049189790c4320a1fc41c

Fingerprint (sha256): 56fc5f68d49530164cdfff381ec0246a0faa8dbc8b5bf926c648d8fd79c346de

Public Key: RSA Key Encryption 2048 bits, 112 security bits

19:20:22 Test9 Server 29105 SSL: Saved PEM Bundle with Certificate, Key and Intermediate: D:\weblogs\acme-comcap5\LE-2253254905-test9_comcap_co_uk-bundle.pem

19:20:22 Test9 Server 29105 SSL: Saved PKCS12 Bundle with Certificate, Key and Intermediate: D:\weblogs\acme-comcap5\LE-2253254905-test9_comcap_co_uk.pfx

19:20:22 Test9 Server 29105 SSL: SSL Certificate Chain Validated OK:

19:20:22 Test9 Server 29105 SSL: Saving final Versions Of All Files Without Order Numbers Locally

19:20:22 Test9 Server 29105 SSL: Saved PEM Bundle with Certificate, Key and Intermediate: D:\weblogs\acme-comcap5\test9_comcap_co_uk-bundle.pem

19:20:22 Test9 Server 29105 SSL: Saved PKCS12 Bundle with Certificate, Key and Intermediate: D:\weblogs\acme-comcap5\test9_comcap_co_uk.pfx

19:20:22 Test9 Server 29105 SSL: Saving Final Versions Of All Files Without Order Numbers on Server

19:20:22 Test9 Server 29105 SSL: Saved PEM Bundle with Certificate, Key and Intermediate: C:\certificates\local\test9_comcap_co_uk-bundle.pem

19:20:22 Test9 Server 29105 SSL: Saved PKCS12 Bundle with Certificate, Key and Intermediate: C:\certificates\local\test9_comcap_co_uk.pfx

19:20:22 Test9 Server 29105 SSL: Finished Collecting and Saving Certificate for test9.comcap.co.uk

 

The while Let's Encrypt order process is usually over in less than 30 seconds, some logging above has been simplified to save space, the actual PEM file contents are logged as well, and Let's Encrypt does multiple challenge tests to check the domain is available.  The most likely failure reason is the server not being available on the public internet with the domain name.  In the example above, although a local server IP address is used, the broadband router has NAT forwarding so the public IP 217.146.115.85 is forwarded to 192.168.1.123.

 

ComCap deliberately stops more than one order per day per domain, to avoid potential madness if something goes horribly wrong.  If more than one channel has servers on the same address but different ports, only set-up automatic ordering on a single channel, certificates may be shared by servers.

 

SSL/TLS Capture TCP Client

TCP Client channels do not need any SSL certificates, but do need to decide whether to check they are connecting to the correct remote TCP Server with adequate security, as follows:  

 

SSL Client Validate Remote Server Certificate

Specifies the remote SSL server certificate should be checked according to the settings in Common Settings, Common.

 

None

No certificate takes place, may be needed for self signed certificates or privately issued certificates.

PEM Bundle File

A file supplied with ComCap containing about 289 certificate authority trusted root certificates in PEM format, essentially the same as used by Microsoft.  Note over time old CA roots become disused and newer root certificates are issued (a couple a year), so this file can become obsolete over many years.  The latest version of ComCap will have the latest root bundle file.

Windows Certificate Store

Windows has a dynamic certificate store, on new installations it's a few common CA root certificates, but further root certificates are automatically downloaded as needed to verify certificate chains.  This may be a little slower than using the PEM Bundle File, particularly if a new root is needed, and may fail if the download fails.

 

This is optional and does not prevent SSL being used, it may slow down connection set-up and potentially cause errors that prevent capture.

 

SSL Client Security

Specifies the SSL security level to ensure that minimum SSL/TLS security standards are enforced. The options are:

 

None

All protocols and ciphers, any key lengths

SSLv3 Only

SSLv3 only, all ciphers, any key lengths, MD5 hash

TLSv1 Only

TLSv1 only, all ciphers, RSA/DH private keys => 2,048 bits

TLSv1.1 Only

TLSv1.1 only, all ciphers, RSA/DH private keys => 2,048 bits

TLSv1.2 Only

TLSv1.2 only, all ciphers, RSA/DH private keys => 2,048 bits  - recommended

TLSv1.3 Only

TLSv1.3 only, all ciphers, RSA/DH private keys => 2,048 bits

TLSv1 or Better

TLSv1 or later, all ciphers, RSA/DH private keys => 1,024 bits

TLSv1.1 or Better

TLSv1.1 or later, all ciphers, RSA/DH private keys => 1,024 bits

TLSv1.2 or Better

TLSv1.2 or later, all ciphers, RSA/DH  private keys => 2,048 bits  - recommended

Backward Ciphers

TLSv1 or later, backward ciphers, RSA/DH private keys => 1,024 bits, ECC keys => 160 bits, no MD5, no SHA1 hash

Intermediate Ciphers

TLSv1.1 or later, intermediate ciphers, RSA private keys => 2,048 bits, ECC keys => 224 bits, no RC4 ciphers, no SHA1 hash

High Ciphers, 2048 keys

TLSv1.2 or later, high ciphers, RSA private keys => 2,048 bits, ECC keys => 224 bits, no RC4 ciphers, no SHA1 hash - recommended

High Ciphers, 3072 keys

TLSv1.2 or later, high ciphers, RSA private keys => 3,072 bits, ECC keys => 256 bits, Forward Security forced

High Ciphers, 7680 keys

TLSv1.2 or later, high ciphers, RSA private keys => 7,680 bits, ECC keys => 384 bits, Forward Security forced

 

The default security level is 'TLSv1.2 or Better' which is the PCI DSS council standard and recommended by major browsers.  Generally the only reason to support old protocols or low security standards is to access 10 year or older servers that only supported those old protocols.  Likewise, all SSL certificates have used 2,048 bit minimum private keys for several years and any older ones should have long expired (except some root certificates).  The SHA1 hash was used to sign old certificates now replaced by SHA2 (aka SHA-256).  Some SSL ciphers are potentially open to attack, but may still be needed to access very old servers that don't support anything better. Private keys with RSA 3,072 bits are the minimum recommended by NIST for use after year 2030, larger RSA keys increase the size of SSL certificates and thus the handshaking for each SSL connection.

 

Note if the security level is set too high, an SSL/TLS connection may just fail without any sensible explanation.

 

Network Performance Overview

These settings can improve performance when capturing high speed TCP and UDP traffic. TCP/UDP uses memory buffers to temporarily save received or sent data before ComCap is able to process it, which default to 8 Kbytes.  With TCP, if data is not extracted from the buffer, the speed at which data is received will slow down, but with UDP received data is simply lost since there are no handshaking packets to confirm data needs to be delayed or resent. It should only be necessary to increase the capture buffer size if a lot of data is being received each second, maybe 16K/sec or more,  or if the PC is very slow or has other CPU intensive applications so that ComCap can not get the CPU it needs.  Note these new settings only appear for channels actually listening or sending data, not filter or merge channels.

 

Capture TCP/UDP Buffer Size (KB)

Allows the size of the TCP/UDP buffer uses to capture data to be increased from the  default of 8 which means 8KB (8,192 bytes). Typically  32 or 64 should be sufficient for the large buffer.  This field only appears for listening channels, not those filtered or merged from other channels.

 

Idle TCP Server Close Session Timeout, Zero None (secs)

This option is only available for TCP Server capture or Echo to TCP Server, and allows a TCP Server session to be closed if no data has been received for a specified period of seconds. Generally a remote TCP Client will reconnect when it has more data to send.  This timeout is primarily for error conditions where a session remotely fails without a clean close down happening, so TCP Server waits for ever for new data, unless Data Loss checking is used to restart capture which is more complex.  The timeout should vary depending on how frequently data is expected, and may be up to 99,999 seconds (69 days).

 

Note that 'Check for Data Loss' provides similar functionally, but is more extreme in it's handling since it will cause the channel to restart, closing files, database, etc, perhaps sending an alert, whereas the session timeout is gently within only minimum disconnection logging while waiting for a new session to connect.