The application saves traffic received through the monitoring points as traffic dump files. The application uses the internal storage of each node for online storage of files and analysis of traffic saved in these files. The application saves and deletes files in the internal storage in accordance with the internal storage settings specified for the node. Connect and configure the external storage on the node to ensure long-term storage of the traffic dump files. Traffic dump files stored in the external storage can be used to download traffic to PCAP files, for example, to download traffic from the network sessions if the dump files of this traffic are already deleted from the internal storage on the node.
Use a directory in the local file system of the node computer as the external storage. This directory must be mounted on a hard drive having sufficient free space and not containing the /var/ directory. For external storage, you can also use a directory where a shared network resource of another computer is mounted, for example, a directory similar to the directory for exporting events to a network resource. A directory in the local file system must be granted permissions for the kics4net account, including the permissions to create nested directories.
Actions for creating and mounting a directory for the external storage are performed using the standard operating system tools of the node computer.
To connect and configure the external storage for the traffic dump files on a node:
The details area appears in the right part of the web interface window.
The details area will show the tabs for configuring the node parameters.
You can select the unit of measure for the space limit: MB or GB.
Filtering reduces the volume of the stored traffic by skipping the network packets that do not match the filter. However, in this case, when you later view the traffic dump files or download traffic from these files, you are not able to download the network packets skipped when the traffic was saved.