Artica PCAP analyzes network traffic in real time, i.e. all network packets are processed, regardless of whether source addresses are blocked or excluded.
What's important to us is not to process every network packet, but only the connections.
So it's necessary to let network packets pass through for a certain period of time.
There are 3 switches to handle connections.
These 3 switches control the process's memory buffer.
This memory buffer means that you don't have to reprocess an address ( such as search in main sources database, RBLs..) if it has already been processed, and that unnecessary network packets are left behind.
The token -buffer-max-records drive the maximum number of addresses that will be stored in the buffer.
When the buffer exceeds this value, it will be completely emptied and will return empty.
It is therefore necessary to evaluate the size of the buffer in relation to the total number of addresses that would be able to connect to your system in one day.
An entry consume about 8 bytes of memory , so 1.000.000 entries = (8×1000000)/1048576 =~ 7.63 MB
The token -buffer-ttl drive the the time period in seconds that an address is detected, i.e. the search for its reputation and its next detection.
For example, if a network address connects to port 80, it will be detected and will continue to send network packets.
For 5 seconds, all network packets discovered will be ignored.
This option is important, as it will help CrowdSec or Fail2ban software react according to the number of occurrences found in the log file.
If you are using Artica PCAP filter for remediation ( without CrowdSec) , then specify the same value as the switch below.
When an address has been checked, whether its reputation verdict is positive or negative, it will be stored in the buffer for a period of minutes.
Artica PCAP filter will always indicate the same verdict during this storage time.
The token -buffer-record-ttl allows you to set this lifetime in minutes