Windows: Driver parameters
These parameters affect the behavior of several drivers with which the S-TAP interacts.
| guard_tap.ini | Default value | Description |
|---|---|---|
| WFP_DRIVER_INSTALLED | 1 | WFP driver is used instead of LHMON. This option can be supported on Windows 2008 SP2 or newer because Windows supports WFP API since this version. This parameter is ignored when tcp_driver_installed=1 |
| TCP_DRIVER_INSTALLED | 1 | Use TCP driver. |
| ORA_DRIVER_INSTALLED | 1 | Set to 1 for sniffing Oracle ASO and SSL traffic. |
| ORA_DRIVER_LEVEL | 0 | Advanced. Used for thread prioritization. |
| NAMED_PIPES_DRIVER_INSTALLED | 1 | Set to 1 for local named pipes sniffing |
| NAMED_PIPES_DRIVER_LEVEL | 0 | Advanced. Used for thread prioritization. |
| SHARED_MEMORY_DRIVER_LEVEL | 0 | Advanced. Used for thread prioritization. |
| KRB_MSSQL_DRIVER_INSTALLED | 2 | Deprecated from v10.1.4. It appears in the guard_tap.ini file but it does not affect the configuration. This parameter is used to decrypt MSSQL SSL and Kerberos encrypted traffic. Set to 1 or 2 to collect MSSQL encrypted traffic and Kerberos tickets. If set to 1, when STAP starts, it pre-collects usernames correlated with SIDs, collecting them for the number of seconds defined in krb_mssql_driver_user_collect_time. When set to 2, the pre-collection isn’t done and the usernames are correlated at run time. In V10.1, this parameter is used to enable/disable Correlation. If it is set to non-zero value, use Correlation. If zero, don't use Correlation. The default is non zero value. |
| KRB_MSSQL_DRIVER_LEVEL | 0 | This parameter is deprecated from v10.1.4. Controls thread priorities of different sniffers. |
| KRB_MSSQL_DRIVER_NONBLOCKING | 0 | This parameter is deprecated from v10.1.4. It appears in the guard_tap.ini file but it does not affect the configuration.1=get domain user names from the domain controller in a separate thread. In this case the first packet with the new user does not resolve the user SID into domain user name. |
| KRB_MSSQL_DRIVER_USER_COLLECT_TIME | 30 | This parameter is deprecated from v10.1.4. Use the Correlation driver introduced in 10.1.Time limit for collecting SIDs at STAP startup. |
| CORRELATION_TIMEOUT | 5 | The number of seconds the WFP and NMP sniffers wait for correlation to occur before giving up and resuming the flow of traffic to the appliance. The default is 5 seconds. |
| KRB_MSSQL_DRIVER_ONDEMAND | 0 | Deprecated in v9.0 GPU patch 50. Set to 1 if you want to save time by resolving user SIDs into domain user names only for Kerberos tickets from new users for the running STAP instance. |