How to enable TX capturing in KATA [KATA/KEDRE]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Sometimes one may need to enable transmitted traffic capturing in KATA (in example, for local testing of Suricata detections).

Here's how to do it.

Instructions for KATA 3.7.*

• In file /etc/modprobe.d/pf_ring.conf set enable_tx_capture=1. File should look like this:

  options pf_ring enable_tx_capture=1 min_num_slots=16384

• Stop apt-preprocessor and suricata services:

  systemctl stop apt-preprocessor.service systemctl stop suricata.service

• Reload pf_ring module:

  rmmod pf_ring modprobe pf_ring

• Start apt-preprocessor and suricata back

  systemctl start apt-preprocessor.service systemctl start suricata.service

Instructions for KATA 4.0/4.1

• In file /etc/modprobe.d/pf_ring.conf set enable_tx_capture=1. File should look like this:

  options pf_ring enable_tx_capture=1 min_num_slots=16384

• Stop docker service:

  systemctl stop docker

• Reload pf_ring module:

  rmmod pf_ring modprobe pf_ring

• Start docker back

  systemctl start docker

Instructions for KATA 5.0

• In file /etc/pf_ring/pf_ring.conf set enable_tx_capture=1. File should look like this:

  options pf_ring enable_tx_capture=1 min_num_slots=16384

• Stop docker service:

  systemctl stop docker

• Reload pf_ring module:

  rmmod pf_ring modprobe pf_ring

• Start docker back

  systemctl start docker

With these changes, KATA will capture and process both incoming and outgoing traffic.