Scenarios for running retrospective analysis of traffic

Scenario for running retrospective analysis of traffic manually

The scenario for running retrospective analysis of traffic manually involves the following steps:

  1. Installing the Central Node component for retrospective analysis of traffic, if it has not been installed yet.
  2. Adding and enabling a monitoring point if it has not been added and enabled yet.

    Only one monitoring point must exist.

  3. Uploading a PCAP file to the web interface of Kaspersky Anti Targeted Attack Platform.
  4. Starting traffic replay.
  5. Reviewing traffic analysis results.
  6. Clearing traffic analysis results.

    If you want to replay multiple PCAP files in a row without clearing the results, you need to upload the PCAP files in the order they were recorded, taking into account the network segments to avoid distorting the analysis results.

Scenario for running retrospective analysis of traffic automatically

The scenario for running retrospective analysis of traffic automatically involves the following steps:

  1. Installing the Central Node component for retrospective analysis of traffic, if it has not been installed yet.
  2. Adding and enabling a monitoring point if it has not been added and enabled yet.

    Only one monitoring point must exist.

  3. Enabling automatic traffic analysis.
  4. Adding a connector of the Generic type for uploading PCAP files from an external system to Kaspersky Anti Targeted Attack Platform.

    This connector is used for the connection with the external system from which you are transferring the PCAP files.

  5. Uploading a PCAP file to the web interface of Kaspersky Anti Targeted Attack Platform using the NDR API.

    The maximum data transfer rate when uploading files is 200 Mbps.

    Example command for automating the upload of files at a certain rate:

    curl -X POST --location {<URL>} -H “Authorization: Bearer {<token>}" -F "fileName={<file name>}" -F "file=@<full path to PCAP file>" -s --limit-rate 20M --connect-timeout 30 --max-time 600 -k

    Files uploaded to the system are placed in a special storage. You can manage the settings of this storage.

  6. Reviewing traffic analysis results.
  7. Clearing traffic analysis results.

    If you want to replay multiple PCAP files in a row without clearing the results, you need to upload the PCAP files in the order they were recorded, taking into account the network segments to avoid distorting the analysis results.

Page top