When managing the web interface, users with the Senior security officer role can download dumps of mirrored traffic from SPAN ports in PCAP format from servers with the Sensor component and conduct investigations to detect suspicious activity.
If you are using the distributed solution and multitenancy mode, follow the steps on the PCN or SCN server to which the server with the Sensor component is connected.
To download mirrored traffic from SPAN ports:
This opens a window with information about the component.
The download options window is displayed.
In the Internal storage section, the Oldest packet field displays the date and time of the first saved dump in the internal storage. In the Used / maximum field, the first number indicates the occupied space in the internal storage, and the second number indicates the total size of the internal storage. The External storage section displays the storage status: Connected or Not connected.
If recorded traffic does not exist for your selected period, when you click Download traffic, Kaspersky Anti Targeted Attack Platform suggests selecting the period from the first recorded network traffic dump to the last. If no recorded dumps exist at all, a warning is displayed indicating the lack of data for the specified period.
If the amount of downloaded traffic exceeds the specified limit, the newest traffic is dropped.
Example of a filter expression:tcp port 102 or tcp port 502
Example of a filtering expression:^test.+xABxCD
Dumps of mirrored traffic from SPAN ports are downloaded in PCAP format.
Recommendations for sequential traffic download requests
We recommend taking into account the time it takes to process the previous traffic download request when sending a new one.
If the next traffic download request arrives before the previous one has completed, dump file download may fail without any error messages.
The request processing time depends on various factors: the search range, the volume of traffic to be downloaded, and the speed of the connection between the Sensor, the server and the client computer.
The volume of traffic to be downloaded depends on the client's requirements; small volumes can be downloaded in a matter of seconds. If the user attempts to download all available traffic, the download speed limit of 50 Mbps is applied. This limitation protects the system from overload caused by downloading a large volume of traffic. At 50 Mbps, downloading 1 GB of traffic takes about 20 seconds, and 1 TB downloads in about 5.5 hours.
Page top