If you are using the distributed solution and multitenancy mode, follow the steps on the PCN or SCN server that you want to configure.
To enable and configure raw network traffic recording on a server with the Central Node and Sensor components installed:
The Server list table will be displayed.
This opens the Sensor component settings page.
The Network interfaces table is displayed.
By default, the toggle switch is in the Disabled position.
Raw network traffic recording on the server with the Central Node and Sensor components installed is enabled. Raw traffic recording settings are displayed.
By default, raw network traffic is saved to the /mnt/kaspersky/nta/dumps directory. You cannot change the directory for raw network traffic recording. You can view raw network traffic dumps in the /data/ volumes/dumps directory.
The minimum value is set to 100 GB by default. The maximum value is 1,000,000 TB. For correct operation of the application, the connected drive must have at least the specified amount of free disk space.
If the size of dumps in dump storage exceeds the Maximum storage size value, the earliest dumps are deleted, the total size of which is equal to the size of the new dumps.
If you reduce the maximum dump storage size, the earliest dumps are deleted, the total size of which is equal to the Maximum storage size change.
If you have set the toggle switch in the State field to Enabled, enter the filtering rule in the BPF filtering rule field. The BPF filtering rule is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.
Example of a filtering expression:
tcp port 102 or tcp port 502
Raw network traffic recording on the server with the Sensor and Central Node components is performed in accordance with the specified settings.
The First saved dump field displays the date and time of the first saved raw network traffic dump, and the Last saved dump field displays the date and time of the last raw network traffic dump.
Page top