TABLE OF CONTENTS

• Overview
• Prerequisites
  • SPAN Port
• Installation Scenarios
• Installation Preparation
  • Scenario #1: On the Same Machine       
  • Scenario #2: On a Separate Machine

Overview

Traffic Analyzer is a powerful network-based analysis framework capable of deep-level protocol analysis making for a powerful intrusion detection system (IDS).

It runs on an ethernet interface and creates logs based on the traffic that flows through the interface.

Prerequisites

• Version 9.0.0 sever-setup or above.
• SPAN port

SPAN Port

SPAN (Switched Port Analyzer) is a dedicated port on a switch that takes a mirrored copy of network traffic from within the switch to be sent to a destination. The destination is typically a monitoring device or other tools used for troubleshooting or traffic analysis.

SPAN ports are built into most network switches, which makes them a cost-effective option for monitoring network traffic. Scalable: SPAN ports can be configured to monitor multiple ports simultaneously, making them scalable for larger networks.

For more information about setting up a SPAN port, see Configuring SPAN Port.

Installation Scenarios

A traffic analyzer can be installed in the following two scenarios:

1. On the same machine as the OTM’s CCE: If it is installed on the same machine as CCE, then the order of installation is important. First CCE base package (1s) needs to be installed followed by the Traffic Analyzer or Deep packet inspection (dpi).
2. On a separate machine: A traffic analyzer can also be installed in a machine separate from the CCE, but the machine in use should be running with Rocky Linux 8.5. For information about installing Rocky Linux, see Rocky Linux 8.5 Installation.

Note: NTA can only be installed in the Kafka method, the API method won't work.

Installation Preparation

Scenario #1: On the Same Machine       

1. Install the CCE using the API or kafka method.
2. Download the following files from ADR Package Download Links:
   • pfring.tar.gz
   • cce-trafficanalyzer-10.3.2-7725.tar.gz
3. Use the following download command:
   $ wget -0 pfring.tar.gz -c <link to file>
4. As the root user, untar the pfring.tar.gz file using this command:
   # tar -xvzf
5. Run the installer:
   # ./pfring/pfring_installer.sh
6. After installation, exit from root mode and untar the traffic analyzer file using this command:
   $ tar -xvzf
7. Go inside the untarred package using this command:
   $ cd <untarred package name>
8. Open cce-global-config.yml using this command:
   $ vi cce-global-config.yml 
9. Change the APE IP to the customer APE IP. Save your changes.
10. Install the NTA package using this command:
    $ ./setup.sh -a 
11. Provide the information requested by the prompts, including the SPAN port.

Scenario #2: On a Separate Machine

1. Download the following files from ADR Package Download Links:
   • pfring.tar.gz
   • cce-trafficanalyzer-10.3.2-7725.tar.gz
2. As the root user, untar the pfring.tar.gz using this command:
   # tar -xvzf
3. Run this command:
   # ./pfring/pfring_installer.sh
4. After installation, exit from root mode.
5. Install Traffic Analyzer from /home/seceon using this command:
   $ ./install.sh -dpi
6. Provide the information requested by the prompts, including the SPAN port.
7. During installation, you may see an error about the CCE Upgrade container. You can ignore this message.
8. After installation, untar the traffic analyzer file using this command:
   $ tar -xvzf
9.  Inside the patch folder, run this command:
   $ ./autorun.sh
10. On the next prompt, type yes.
    Is CCE and APE co exist ? Please confirm (yes/no): yes
11. After the DPI package finishes untaring, the logs processor will be installed followed by the Traffic Analyzer. Enter the serial number of the Span Port network interface to monitor.
12. After the Traffic Analyzer is installed, the system health monitor will be installed. Wait for a success message to be displayed. If there is any issue, please re-run this command:
    $ ./install.sh –dpi