Managing mirrored traffic from SPAN ports
When managing the web interface, users with the Senior security officer role can download dumps of mirrored traffic from SPAN ports in PCAP format from servers with the Sensor component and conduct investigations to detect suspicious activity.
If you are using the distributed solution and multitenancy mode, follow the steps on the PCN or SCN server to which the server with the Sensor component is connected.
To download mirrored traffic from SPAN ports:
- Select the Sensor servers section in the window of the application web interface.
- Click the card of the relevant Sensor component.
This opens a window with information about the component.
- Click Download traffic.
The download options window is displayed.
In the Internal storage section, the Oldest packet field displays the date and time of the first saved dump in the internal storage. In the Used / maximum field, the first number indicates the occupied space in the internal storage, and the second number indicates the total size of the internal storage. The External storage section displays the storage status: Connected or Not connected.
- Do the following:
- In the Period of traffic to download, set the bounds for the period for which you want to download traffic dumps.
If recorded traffic does not exist for your selected period, when you click Download traffic, Kaspersky Anti Targeted Attack Platform suggests selecting the period from the first recorded network traffic dump to the last. If no recorded dumps exist at all, a warning is displayed indicating the lack of data for the specified period.
- In the Download volume limit field, you can specify the maximum amount of traffic to be downloaded.
If the amount of downloaded traffic exceeds the specified limit, the newest traffic is dropped.
- If necessary, enable filtering under Filtering by monitoring points and specify the monitoring points from which you want to get traffic.
- If necessary, enable filtering in the Filtering using BPF section and enter a filtering expression using the Berkeley Packet Filter (BPF) technology. The BPF filtering expression is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.
Example of a filter expression:
tcp port 102 or tcp port 502 - If necessary, enable filtering in the Filtering using regular expressions section and enter an expression for filtering based on payload data in traffic.
Example of a filtering expression:
^test.+xABxCD
- In the Period of traffic to download, set the bounds for the period for which you want to download traffic dumps.
- Click Download traffic.
Dumps of mirrored traffic from SPAN ports are downloaded in PCAP format.
Recommendations for sequential traffic download requests
We recommend taking into account the time it takes to process the previous traffic download request when sending a new one.
If the next traffic download request arrives before the previous one has completed, dump file download may fail without any error messages.
The request processing time depends on various factors: the search range, the volume of traffic to be downloaded, and the speed of the connection between the Sensor, the server and the client computer.
The volume of traffic to be downloaded depends on the client's requirements; small volumes can be downloaded in a matter of seconds. If the user attempts to download all available traffic, the download speed limit of 50 Mbps is applied. This limitation protects the system from overload caused by downloading a large volume of traffic. At 50 Mbps, downloading 1 GB of traffic takes about 20 seconds, and 1 TB downloads in about 5.5 hours.
Page top