Configuring the recording of mirrored traffic from SPAN ports using the web interface
You can enable the recording of mirrored traffic from SPAN ports in the Kaspersky Anti Targeted Attack Platform web interface or in the administrator menu of the Sensor component.
If you are using the distributed solution and multitenancy mode, perform the configuration actions in the web interface of the PCN or SCN server to which the Sensor component is connected.
To enable the recording of mirrored traffic from SPAN ports in the Kaspersky Anti Targeted Attack Platform web interface:
- Connect and configure external storage.
- Select the Sensor servers section in the window of the application web interface.
- Click the card of the relevant Sensor component.
This opens a window with information about the component.
- Click Edit.
- Go to the External storage tab.
This tab is not displayed if an external storage is not connected.
In the External storage section, the Oldest packet field displays the date and time of the first saved dump in the external storage. The Newest packet field displays the date and time of the last dump saved to external storage.
- If you want to use the external storage, set the Record traffic toggle switch to Enabled.
By default, the toggle switch is in the Disabled position.
- In the Path for saving traffic field, specify the path to the directory in which you want the application to save traffic dumps.
- Do the following:
- Under Maximum storage size, specify the maximum size of traffic dumps that will be stored in the storage.
If the size of dumps in the storage exceeds the specified value, the earliest dumps are deleted, the total size of which is equal to the size of the new dumps.
If you reduce the maximum dump storage size, the earliest dumps are deleted, the total size of which is equal to the change of the setting.
- If you want to limit the capture of data in traffic, under Traffic filtering upon capture, set the BPF filtering toggle switch to Enabled. Traffic filtering can reduce the size of dumps in dump storage and facilitate traffic analysis.
In the BPF filtering rules, the filtering rule. The BPF filtering rule is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.
Example of a filtering expression:
tcp port 102 or tcp port 502 - If you want to configure the traffic dump storage duration, in under Storage duration, set the Enable storage duration toggle switch to Enabled. In the Storage time (days) field, enter the number of days for which you want to store traffic dumps. Traffic dumps that are stored longer than the specified duration are deleted from the storage.
- Click Save.
- Under Maximum storage size, specify the maximum size of traffic dumps that will be stored in the storage.
The recording of mirrored traffic from SPAN ports is configured.
To enable recording of mirrored SPAN traffic in the administrator menu of the Sensor component:
- Connect and configure external storage.
- Enter the management console of the Sensor server via the SSH protocol or through a terminal.
- When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.
This opens the settings menu for the Sensor component. If the menu does not open, enter the
kata-admin-menucommand and press Enter. - Go to the Program settings → Configure traffic capture section.
To select a row, you can use the ↑, ↓, and Enter keys. The selected row is highlighted in red.
- This opens a window, in that window, select the Enabled traffic storage line and press Enter.
[x] is displayed to the right of the title of the line.
Raw network traffic recording on the standalone server with the Sensor component will be enabled.
- If necessary, edit raw network traffic recording settings:
- Select the Traffic storage size line and press Enter. This opens a window; in that window, specify the maximum total size of stored raw traffic dumps, in terabytes.
The minimum value is set to 100 GB by default. The maximum value is 1,000,000 TB. For correct operation of the application, the connected drive must have at least the specified amount of free disk space. If the number entered in this field exceeds the free disk space on the connected drive, an error is displayed.
- Select the OK button and press Enter.
- Select the Traffic capture BPF-filter line and press Enter. This opens a window; in that window, enter the filtering rule. The BPF filtering rule is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.
Example of a filtering expression:
tcp port 102 or tcp port 502. - Select the OK button and press Enter.
- Select the Traffic storage duration (in days) line and press Enter. This opens a window; in that window, enter the storage duration for raw network traffic dumps in the storage, in days.
- Select the OK button and press Enter.
- Select the Traffic storage size line and press Enter. This opens a window; in that window, specify the maximum total size of stored raw traffic dumps, in terabytes.
The recording of mirrored SPAN traffic is configured.
Page top