The Unispeed ATL complies with all requirements associated with European (ETSI) and Danish logging requirements (Logningsbekendtgoerelsen).

The Unispeed ATL can be remotely configured to handle the following tasks:

Intercept session data from peering points (IRI)(bagudrettet logning)

Collect unique user ident from DHCP requests, option 82, or logins from Remote access server (RAS)

Extract session data from targeted IP-addresses, mac-numbers or login information and create reports for the authorities (ATL logs)

Intercept content data from targeted IP-addresses or Mac-numbers (CC) (Fremadrettet logning)

The following screenshot shows a small network where a single ATL receives mirrored traffic from 3 different sources: a border router, a DHCP server and an Access router.

Screenshots

Intercept session data from peering points (bagudrettet logning)

In order for the Unispeed ATL to retrieve session data from a border router you will need to configure a span port on the router or install a network tab or light-splitter. The Netlogger/ATL must be able to se traffic in both directions.

Packets from network

Drag and drop the Packets From Network tool from the Input menu onto the canvas, which is the large area to the right of the Palette. Rightclick the tool and select Options. Choose the interface you want to collect packets from. If you have 4 sniffer interfaces available on your ATL and 1 management and 1 uplink interface, K-sniffer 0 will be listening on eth2, K-sniffer 1 will be listening on eth3 and so forth.

Screenshots

Discard ACKs

Discard ACKs shall be leaved unchecked as the ksniffer will discard TCP ACK-only packets; this is ACK packets without payload.

Network

If a network in in CIDR notation (eg. 192.168.1.0/24) or IP address/netmask notation (eg. 192.168.1.0/255.255.255.0) is entered here, the ksniffer will only record packets originating from or arriving to the given network. This is useful if you are only required to log on part of your network. If you do not require this option leave the field blank.

Port

If Port number or a range of ports is entered the ksniffer will only record packets to and from the given port number/numbers. Entering a ""0"" and the K-sniffer will listen on all ports.

Protocol

You can choose to have the K-sniffer record packets from TCP, UDP, ICMP or all protocols. In this example you could set the K-sniffer collecting DHCP requests to UDP only, otherwise just leave it to all.
The Packets from Network tool contains a 'traffic light' control, which is initially red. Click on the traffic light to start the Packets from Network tool (the traffic light becomes green).
Now right click on the Packets from Network tool, and choose "Data Samples". Now you will be able to see the what kind of traffic is running through the different Packets from Network tools.

Session info

Drag and drop the Session info tool onto the canvas. The tool can be found by expanding the Packet Operations icon in the Palette.

Connect the two tools by dragging the blue arrow from the Packets from network tool that receives traffic from the border router, to the Session info tool. You do not need to configure the tool.

Screenshots

The output from Session info is consistent with the anti terror requirements, namely sender/receiver IP-address, sender/receiver port-number, transport protocol and timestamps for the initiating and terminating packet in each session.
In absence of a terminating packet ATL will time-out the session after 20 min and record the timestamp from the last packet in the session which is continuously kept in memory.

Log sessions

To conclude your session logging connect a Session log tool to the session info tool and configure it. The Log sessions tool is found under Output

Screenshots

Prefix

In this field you give your log file a unique name. This is important since the ATL can collect data from several networks at the same time, and you will later on be able to extract data from a specific router or network. The ATL will write the file to the directory: Pub://_slog/ and the files will be named: prefix-yyyy-mm-ddThhmmss.slog

Rotate file

This option allows the ATL to rotate and timestamp files at different intervals. If you wish to transfer your log files to another ATL for mediation or a Network attached storage it would make sense to use the same interval as you decide to transfer the files. Selecting "never" disables the Rotate file option.

Limit size

Allows you to rotate the files based on size in MB. Setting size to "0" disables the Limit size option.

Collect unique user ident from DHCP requests, option 82, or logins from Remote access server (RAS)

Unispeed ATL supports different methods to identify the unique user and mediate the session log data with the end user data.
If only static IP-addresses are used on the network a simple data base look-up will reveal to whom an IP-address is assigned.
However as most networks have dynamic IP-addresses you might need to configure the ATL to extract the DHCP requests in order to list the client hardware address to which an IP-address is leased to.
For option 82 enabled networks the ATL will retrieve the info contained herein.
On wireless networks or networks where the unique user cannot be identified by the hardware address or the assigned port number you will need an access router and a remote access server to handle the access control.
Unispeed ATL can act as DHCP and access router with the "Netreg" extension installed on the ATL. In this configuration the ATL must be in bridge mode.

The following example describes a network with DHCP option 82 enabled. In order for the Unispeed ATL to retrieve DHCP data from the network you will need to configure a span port on a switch where the DHCP packets can be mirrored.

DHCP option 82

The purpose of the DHCP option 82 extract tool is to generate a logfile containing the relasionship between an IP-number and the client hardware address which leased the IP or other information contained in the option 82 field.
Set the "Packet from network" tool that supplies the packets to read UDP packets only, and connect the "extract DHCP option 82" tool.

Screenshots

The output from Extract DHCP Option 82 contains the following fields
Assigned IP, circut ID, Client hardware address, remote ID, and the time the IP was leased.
The output from "Extract DHCP Option 82 must be written to disk by the "Log to file" tool. Name of log file must be pub://_dhcp/dhcp.log for the "ATL logs" extension to work properly.

Extract session data from targeted IP-addresses, mac-numbers or login information and create reports for the authorities (ATL logs)

The Netlogger drop down window contain a menu called ATL Logs.The purpose of the Netlogger ATL extension is to process and combine information generated by the "Session Info" tool and a table linking IP-addresse to a client ID either from the "Extract DHCP Option 82" tool or a data base and return the result to the Netlogger/ATL Frontend.

Screenshots

Data is extracted based on IP address - Time frame - and Mac address, assigned port-number or login information. In this example it is the Client Mac- Address being retrieved from log files previously generated by the DHCP extractor function of the ATL or Netlogger.
To get started, select the "ATL logs" item in the Netlogger menu of the Frontend. This opens the "Extract session" dialog.

Screenshots

The first line of the dialog lets the user specify time interval of interest. The extraction procedure has two main modes. Information can be extracted by end user ident (MAC) (as obtained by DHCP option 82) or IP address.
The combo box of the second line switches between these modes, and the text box lets the user type the target ident (MAC) or IP of the search.
The dialog automatically lists the log files stored in pub://_slog. Simply erase the prefixes you do not want to extract data from.
If extract by Ident (MAC) mode is selected the "Find MAC..." button is activated. A click on this button opens a new dialog, that helps the user find the MAC address or addresses that leased a specific IP address at the chosen time interval.

Screenshots

The user should adjust the time interval enter an IP address in the IP field and press the "Lookup" button. This will populate a list of MACs and the start and end time for their respective leases of the IP address. Then double click the desired MAC to transfer it to the main dialog.
When all options are in place, click the "Get" button, and a file dialog will open.
Select your desired destination and the file will be downloaded to your local machine.
The written tekst file is formatted as follows:
The first line contains information about the content of the file. Here is an example:

#Unispeed ATL 1.0; BY MAC; TARGET B; TIME 19700101 00:00:00 to 19710101 00:00:00

This reads as, the file contains session info for the MAC B in the time interval from midnight January 1. 1970 to midnight January 1. 1971.
Another example:

#Unispeed ATL 1.0; BY IP; TARGET 192.168.1.22; TIME 19700101 00:00:00 to 19710101 00:00:00

The file contains session info for the IP 192.168.1.22 in the same time interval as above.
The rest of the file is comma separated values, each line describing a session. The fields are in the order:
MAC, start time, end time, initiating IP, initiating port, receiving IP, receiving port, IP protocol
The file can be opened by a teksteditor or spreadsheet.

Intercept content data from targeted IP-addresses or Mac-numbers (Fremadrettet logning)

The last function of the Unispeed ATL allows the user to target one or more clients, and log the entire content of the traffic they generate.
The intercepted traffic can be written to a pcap/tcp file or streamed to a remote server.
In order for the Unispeed ATL to retrieve the content data, you will need to configure a span port on the access router that handles the clients traffic or tunnel the relevant traffic to the ATL sniffer interface . The Netlogger/ATL must be able to se the traffic in both directions.
If the client IP-address is dynamic you might have to configure the ATL to filter on client mac-addresss or dynamically "follow" the client based on the assigned IP from DHCP requests.

Filter Packet

Connect the "Packet from network" tool to a "Filter Packets" tool and right click the tool. A pop up window appears. Check the TCP UDP and ICMP boxes, type "client IP-address" in the Add field, under "IP Addresses", click "Add". type "*" in the Add field under "Ports", click "Add". Click "Apply".

Screenshots

Accepted packets runs through the dark blue arrow on the right side of the Filter Packets tool, while the rejected packets runs through the light blue arrow.
If required to log data from more IP-addresses simply ad another "Filter packets" tool to the rejected packets stream and configure it in the same way.

Schedule

This tool allows you to set the start-time and end-time for a chain of tools
This is particular convenient when a logging job needs to be performed out side working hours

Screenshots

By checking the "enable" box the schedule tool will allow the traffic stream to pass within the time frame indicated. When unchecked the tool let traffic pass continuously.

Write packets

Connect a "write packets" tool to the accepted packet stream from "schedule" or "packet filter" and configure it.

Screenshots

File name

In this field you give your log file a unique name.

Raw IP

The raw IP check box will remove certain fields from the packet headers and should be leaved unchecked for this purpose.

Rotate file

This option allows the ATL to rotate and timestamp files at different intervals. If you wish to transfer your log files to another ATL for mediation or a Network attached storage it would make sense to use the same interval as you decide to transfer the files. Selecting "never" disables the Rotate file option.

Limit size

Allows you to rotate the files based on size in MB. Setting size to "0" disables the Limit size option.

forward packets

The "Forward packets" options allows you to send the output to one of the ATL interfaces. .

Screenshots

---