Enabling and configuring raw network traffic recording on a server with the Sensor and Central Node components installed

If you are using the distributed solution and multitenancy mode, follow the steps on the PCN or SCN server that you want to configure.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

To enable and configure raw network traffic recording on a server with the Central Node and Sensor components installed:

1. Connect and configure external storage.
2. Select the Sensor servers section in the window of the application web interface.

   The Server list table will be displayed.

3. Select the Sensor component with the name localhost.

   This opens the Sensor component settings page.

4. Select the SPAN traffic processing section.

   The Network interfaces table is displayed.

5. Go to the Traffic recording tab.
6. In the Record traffic field, set the toggle switch to Enabled.

   By default, the toggle switch is in the Disabled position.

   Raw network traffic recording on the server with the Central Node and Sensor components installed is enabled. Raw traffic recording settings are displayed.

   By default, raw network traffic is saved to the /mnt/kaspersky/nta/dumps directory. You cannot change the directory for raw network traffic recording. You can view raw network traffic dumps in the /data/ volumes/dumps directory.

7. If necessary, edit raw network traffic recording settings:
   1. Under Dump storage size, in the Maximum storage size field, specify the maximum size of raw traffic dumps to be stored in dump storage.

      The minimum value is set to 100 GB by default. The maximum value is 1,000,000 TB. For correct operation of the application, the connected disk must have at least the amount of free disk space listed above.

      If the size of dumps in dump storage exceeds the Maximum storage size value, the earliest dumps are deleted, the total size of which is equal to the size of the new dumps.

      If you reduce the maximum dump storage size, the earliest dumps are deleted, the total size of which is equal to the Maximum storage size change.

   2. If you want to restrict data capture in raw network traffic, under Traffic filtering upon saving, in the State field, set the toggle switch to Enabled. Traffic filtering can reduce the size of dumps in dump storage and facilitate traffic analysis.

      If you have set the toggle switch in the State field to Enabled, enter the filtering rule in the BPF filtering rule field. The BPF filtering rule is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.

      Example of a filtering expression:

      tcp port 102 or tcp port 502

   3. If you want to set a storage duration for raw network traffic dumps, under Dump storage term, in the State field, set the toggle switch to Enabled. In the Store for field, enter the raw network traffic dump storage duration in days. Raw network traffic dumps that are stored longer than the specified duration are deleted from the storage.
   4. Click Apply.

Raw network traffic recording on the server with the Sensor and Central Node components is performed in accordance with the specified settings.

The First saved dump field displays the date and time of the first saved raw network traffic dump, and the Last saved dump field displays the date and time of the last raw network traffic dump.