Configuration Reference

Rockfish Probe uses YAML configuration files. Command-line arguments override config file settings.

# Run with configuration file
rockfish_probe -c /path/to/config.yaml

# Override settings via CLI
rockfish_probe -c config.yaml --source eth1

Configuration Sections

License
Input
Flow
nDPI
Fragment
Output
AF_PACKET
Netmap
S3
GeoIP
Threat Intel

License

license:
  path: /opt/rockfish/etc/license.json

Option	Type	Default	Description
`path`	string	-	Path to license file (JSON with Ed25519 signature)

Environment Variable: ROCKFISH_LICENSE_PATH

Input

input:
  source: eth0
  live_type: afpacket
  filter: "tcp or udp"
  snaplen: 65535
  promisc_off: false

Option	Type	Default	Description
`source`	string	(required)	Interface name or PCAP file path/glob
`live_type`	string	`pcap`	Capture method: `pcap`, `afpacket`, `netmap`, `fmadio`
`filter`	string	-	BPF filter expression
`snaplen`	int	65535	Maximum bytes per packet
`promisc_off`	bool	false	Disable promiscuous mode

BPF Filter Examples

# TCP and UDP only
filter: "tcp or udp"

# HTTP and HTTPS
filter: "port 80 or port 443"

# Specific subnet
filter: "net 192.168.1.0/24"

# Exclude SSH
filter: "not port 22"

Flow

flow:
  idle_timeout: 300
  active_timeout: 1800
  max_flows: 0
  max_payload: 500
  udp_uniflow_port: 0
  mac: true

Option	Type	Default	Description
`idle_timeout`	int	300	Seconds of inactivity before flow expires
`active_timeout`	int	1800	Maximum flow duration before export
`max_flows`	int	0	Maximum concurrent flows (0 = unlimited)
`max_payload`	int	500	Max payload bytes for protocol detection
`udp_uniflow_port`	int	0	UDP uniflow mode (0=off, 1=all)
`mac`	bool	true	Include MAC addresses

Note: TLS/TCP fingerprints (ndpi_ja4, ndpi_ja3s, ndpi_tcp_fp) are automatically extracted when nDPI is enabled and included in Professional+ tier output.

nDPI

ndpi:
  enabled: true
  protocol_file: /opt/rockfish/etc/ndpi-protos.txt
  categories_file: /opt/rockfish/etc/ndpi-categories.txt

Option	Type	Default	Description
`enabled`	bool	false	Enable nDPI application labeling
`protocol_file`	string	-	Custom protocol definitions
`categories_file`	string	-	Custom category definitions

Note: nDPI is included in all Rockfish packages (Basic tier and above).

Fragment

fragment:
  disabled: false
  max_tables: 1024
  timeout: 30

Option	Type	Default	Description
`disabled`	bool	false	Disable IP fragment reassembly
`max_tables`	int	1024	Max concurrent fragment tables
`timeout`	int	30	Fragment timeout in seconds

Output

output:
  parquet_dir: /var/run/rockfish/flows
  parquet_batch_size: 1000000
  parquet_file_prefix: rockfish-flow
  parquet_schema: simple
  observation: sensor-01
  hive_boundary_flush: false
  stats: true
  verbose: 1
  log_file: /var/log/rockfish/rockfish.log

Option	Type	Default	Description
`parquet_dir`	string	(required)	Output directory for Parquet files
`parquet_batch_size`	int	1000000	Max flows per file before rotation
`parquet_file_prefix`	string	rockfish-flow	Filename prefix
`parquet_schema`	string	simple	Schema: `simple` (50 fields) or `extended` (62 fields)
`observation`	string	gnat	Observation domain name
`hive_boundary_flush`	bool	false	Flush at day boundaries for Hive partitioning
`verbose`	int	1	0=warnings, 1=info, 2=debug, 3=trace
`log_file`	string	-	Log file path (enables daily rotation)

AFPacket

Linux high-performance capture:

afpacket:
  block_size: 2097152
  block_count: 64
  fanout_group: 0
  fanout_mode: hash

Option	Type	Default	Description
`block_size`	int	2097152	Ring buffer block size (bytes)
`block_count`	int	64	Number of ring buffer blocks
`fanout_group`	int	0	Fanout group ID (0 = disabled)
`fanout_mode`	string	hash	Distribution: hash, lb, cpu, rollover, random

Memory: block_size × block_count (default: 128 MB)

Netmap

FreeBSD high-performance capture:

netmap:
  rx_slots: 1024
  tx_slots: 1024
  poll_timeout: 1000
  host_rings: false

S3

s3:
  bucket: my-flow-bucket
  prefix: flows
  region: us-east-1
  endpoint: https://nyc3.digitaloceanspaces.com
  force_path_style: false
  hive_partitioning: true
  delete_after_upload: true
  aggregate: true
  aggregate_hold_minutes: 5

Option	Type	Default	Description
`bucket`	string	(required)	S3 bucket name
`prefix`	string	-	S3 key prefix
`region`	string	(required)	AWS region
`endpoint`	string	-	Custom endpoint (MinIO, DO Spaces, etc.)
`force_path_style`	bool	false	Use path-style URLs (required for MinIO)
`hive_partitioning`	bool	false	Organize by `year=/month=/day=/`
`delete_after_upload`	bool	false	Delete local files after upload
`aggregate`	bool	false	Merge files per minute before upload
`aggregate_hold_minutes`	int	1	Hold time before aggregating

GeoIP

geoip:
  country_db: /opt/rockfish/etc/GeoLite2-Country.mmdb
  city_db: /opt/rockfish/etc/GeoLite2-City.mmdb
  asn_db: /opt/rockfish/etc/GeoLite2-ASN.mmdb

Note: Requires --features geoip and MaxMind databases.

Threat Intel

threat_intel:
  enabled: true
  endpoint_url: "http://localhost:8080"
  api_token: "your-api-token"
  batch_size: 100
  timeout_seconds: 10

Option	Type	Default	Description
`enabled`	bool	false	Enable threat intel lookups
`endpoint_url`	string	(required)	API endpoint URL
`api_token`	string	(required)	Bearer token for authentication
`batch_size`	int	100	IPs per API request
`timeout_seconds`	int	10	Request timeout

Output goes to <parquet_dir>/intel/.

Complete Example

license:
  path: /opt/rockfish/etc/license.json

input:
  source: eth0
  live_type: afpacket
  filter: "tcp or udp"

flow:
  idle_timeout: 300
  active_timeout: 1800
  max_flows: 1000000
  max_payload: 500

ndpi:
  enabled: true  # Fingerprints (ndpi_ja4, ndpi_ja3s) extracted automatically

output:
  parquet_dir: /var/run/rockfish/flows
  observation: sensor-01
  hive_boundary_flush: true

afpacket:
  block_size: 2097152
  block_count: 64

s3:
  bucket: flow-data
  prefix: sensors/sensor-01
  region: us-east-1
  hive_partitioning: true
  delete_after_upload: true

geoip:
  city_db: /opt/rockfish/etc/GeoLite2-City.mmdb
  asn_db: /opt/rockfish/etc/GeoLite2-ASN.mmdb

Keyboard shortcuts

Rockfish Documentation