Managing raw network traffic

When managing the web interface, users with the Senior security officer role can download raw network traffic dumps in PCAP format from servers with the Sensor component and conduct investigations to detect suspicious activity.

If you are using the distributed solution and multitenancy mode, follow the steps on the PCN or SCN server to which the server with the Sensor component is connected.

To download raw network traffic captured from network interfaces:

  1. Select the Sensor servers section in the window of the application web interface.

    The Server list table will be displayed.

  2. Select the Sensor component from which you want to download raw network traffic.

    This opens the Sensor component settings page.

  3. Select the network interfaces for which you want to download raw network traffic by selecting the check box to the left of the network interface name.

    By default, all network interfaces are selected.

    If in the SPAN traffic scanning column, the toggle switch to the right of the network interface name is set to Disabled, you cannot download raw network traffic dumps from that network interface.

  4. Click Download traffic.

    This opens the raw network traffic download settings settings window.

    In this window, the First saved dump field displays the date and time of the first saved raw network traffic dump, and the Last saved dump field displays the date and time of the last raw network traffic dump. In the Available dump storage space field, the first number indicates the free space in dump storage, and the second number indicates the total size of the dump storage.

  5. Select the Period field and do the following:
    1. In the calendar, specify the start date and time and end date and time of the period for which you want to download raw network traffic. By default, the current date and time are selected as the end of the period, and the current day and the previous hour are selected as the start of the period.
    2. Click Apply.

    If recorded traffic does not exist for your selected period, when you click Download, Kaspersky Anti Targeted Attack Platform suggests selecting the period from the first recorded network traffic dump to the last. If no recorded dumps of raw network traffic exist at all, a warning is displayed indicating the lack of data for the specified period.

  6. In the Maximum dump size field, specify the maximum size of the downloaded raw network traffic dump.

    The default value is 100 MB. The minimum value is 1 MB, and the maximum value is 1,000,000 TB. The downloaded raw network traffic dump of the specified size contain data starting with the last record of the selected period.

  7. If you want to restrict the download of raw network traffic data, in the BPF traffic filtering field, set the toggle switch to Enabled.

    By default, the toggle switch is in the Disabled position.

  8. If you have set the toggle switch in the BPF traffic filtering field to Enabled, enter the filtering rule in the Filtering rule field. The BPF filtering rule is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page. The downloaded raw network traffic dump contains data that matches the entered filtering rule.

    Example of a filtering expression:

    tcp port 102 or tcp port 502

  9. If you want to restrict the download of raw network traffic data, in the Regexp traffic filter field, set the toggle switch to Enabled.

    By default, the toggle switch is in the Disabled position.

  10. If you have set the toggle switch in the Regexp traffic filter field to Enabled, in the Filtering rule field, enter the filtering rule. The downloaded raw network traffic dump contains data that matches the entered filtering rule.

    Example of a filtering expression:

    ^test.+xABxCD

  11. Click Download.

Raw network traffic dumps are downloaded in PCAP format.

Page top