Customize node identifier generation

All the entities that communicate in a network are called nodes and a Guardian assigns to each node a unique identifier, or NodeID in short. Generally, the NodeID is just an ip address (or a mac address), but in some special network topologies, extra information must be included in a NodeID to further differentiate nodes.

Note: NodeIDs generated with different settings will cause inconsistencies and should not coexist. These options should be manually set at sensor deploy time or on a Guardian with a clean configuration.

Include VLAN number in NodeID

Nodes can have their NodeID "decorated" with the VLAN ID of their zone.


Product	Guardian
Syntax	`nodeid_factory zone`
Description	Nodes included in a zone, which has a non-zero VLAN id, will get a NodeID of the form `ip@vlan`.

Include Remote Collector/Arc provenance in NodeID

Packets forwarded by Remote Collectors or Arc sensors carry a special "provenance" attribute that the Guardian uses to track precisely where the traffic was captured. The configuration directive nodeid_factory include_capture by default will use a standard NodeID for nodes seen by local capture devices, and append an explicative suffix _from:... to nodes appearing in remotely captured traffic.


Product	Guardian
Syntax	`nodeid_factory include_capture [local-traffic-tag] [format-string]`
Description	Enable decoration of NodeIDs with packet provenance information.
Parameters	the optional local-traffic-tag is the provenance name for locally captured traffic: leave empty or use `no_localhost` to disable NodeID decoration on local traffic. the format-string is the template for decorating remotely captured NodeIDs. A pair of curly braces `{}` will be expanded to the actual provenance. The default format is `"_from:{}"`
Notes	For packets captured by a Remote Collector, the default provenance is the ip of the Remote Collector itself. Alternatively, a Guardian can use the `site` of the Remote Collector (and fall back to the ip, when the site is undefined), by adding the directive `remote_capture_forward_packet_src true` to the Guardian configuration. For packets captured by Arc sensors, the provenance is a unique identifier of the Arc instance, followed by the ip that uploaded the data to the Guardian (so, it may not belong to the machine where Arc is running). The Guardian may use both `include_capture` and `zone` if the configuration contains both `nodeid_factory zone` and `nodeid_factory include_capture` in this order.