Video Screencast Help
Symantec Secure Login will be live on Connect starting February 25. Get the details here.

Network Monitor Implementation

Created: 29 Jan 2014 • Updated: 30 Jan 2014 | 6 comments
Language Translations
Lion Shaikh's picture
+2 2 Votes
Login to vote

Network Monitor :

Network Monitor accurately detects confidential information across configured network protocols and content types before it leaves the network. Real-time monitoring and reporting deliver constant visibility on data security.

Network Monitor Servers gather network traffic from scanned ports or taps, and report on private or proprietary data leaking as it moves across the network. The Enforce Server defines the policy groups, protocols, and protocol filters that control the Network Monitor Servers. The incidents that servers find are organized into reports, alerts, and actions on the Enforce Server. A network of Monitor Servers can be deployed on the company network to report on network activity and policy compliance. Monitor Servers can enforce a uniform set of policies or specialized policies based on the location and purpose of the server. Some example deployments of Network Monitor Servers are as follows:

Monitoring outgoing traffic - A Network Monitor Server resides in each corporate datacenter that routes data to the Internet. Each Network Monitor Server scans the outgoing traffic for that datacenter. All the servers scan for violations of the same policy groups. This configuration allows the Enforce Server to create separate reports for multiple stakeholders in the corporation.

Monitoring a large flow of traffic - Multiple Network Monitor Servers are placed on the same span of traffic. Traffic is distributed through a traffic load balancer, or load balancing is done through protocol and IP filters.

Monitoring a subgroup of users - A policy group is configured with policies to capture all traffic from a select group of users. A monitor NIC captures the same traffic, but it is assigned to the more selective policy group. This configuration protects the other monitors from the greater scale of traffic that the selected policy group generates.

In any deployment, Network Monitor gives organizations the ability to monitor all network communications, including:

1] Email

2] Instant messaging

3] Web mail and Web postings

4] File transfers

5] Network news

6] Peer-to-peer

7] Telnet

8] All other TCP sessions through any port.

Network Monitor also enables you to quantify your organization's risk from potential confidential data loss incidents. Network Monitor automatically classifies each data loss incident by severity, which enables response teams to quickly prioritize high-risk situations and focus resources.

Network Monitor.PNG

 Network Monitor captures and analyzes traffic on your network, detecting confidential data, and significant traffic metadata over protocols you specify. For example, SMTP, FTP, HTTP, and various IM protocols. You can configure a Network Monitor Server to monitor custom protocols and to use a variety of filters (per protocol) to filter out low-risk traffic.

To monitor network traffic, a Network Monitor Server requires:
a] A network Switch Port Analyzer (SPAN) or network tap to acquire traffic on the target network.

b] A card on the Network Monitor Server host to capture the network traffic that is acquired from the SPAN or tap. Either a network interface card (NIC) or
Endace DAG network measurement card (Endace card) can be used. (Note that in addition to this traffic-capturing card, a separate NIC is required for
communication between the Network Monitor Server and the Enforce Server.)

c] Packet capture software.Whenyou use a NIC for packet capture, packet capture software must be installed on the Network Monitor Server host. When you use an Endace card, the card must use the correct driver.

Please perform the following high level tasks and procedure to implement Network Monitor.

Step by step procedure is here.

Procedure Step 1 : Install and set up the network tap or SPAN that captures network traffic.

Procedure Step 2 : Choose a method of capturing network traffic.

You can use three different methods to capture the network traffic that is acquired by a SPAN or tap:

a]  NIC on a Windows platform. Windows platforms using a NIC for packet capture require a WinPcap library on the Network Monitor Server host. If WinPcap is not already on the Network Monitor Server host, you must install it. See the Symantec Data Loss Prevention System Requirements and Compatibility Guide for information about the supported version of the WinPcap library.

b] NIC on a Linux platform. Linux platforms using a NIC use native Linux packet capture which requires PACKET_MMAP support in the kernel. Support for
PACKET_MMAP is included by default in supported Linux kernels.

c] Endace card on either Windows or Linux platforms. An Endace DAG network measurement card can be used on both Windows and Linux platforms to
provide network packet capture in high-traffic environments. See the Symantec Data Loss Prevention System Requirements and Compatibility Guide for
information about supported Endace cards and drivers.

Platform                                            Card                                          Software

Windows                                          NIC                                            WinPcap

Linux                                               NIC                                             Native

Windows and Linux                          Endace                                        Endace

Procedure Step 3 : Install the necessary NIC or Endace card on the Network Monitor as described by the card documentation. Also use the appropriate Symantec Data Loss Prevention Installation Guide (Windows or Linux). This NIC or Endace card must operate in promiscuous mode so that it picks up all inbound and all outbound traffic.
See the Symantec Data Loss Prevention System RequirementsandCompatibility Guide for information about supported NICs and Endace cards.

 Procedure Step 4: On a Windows platform, install WinPcap if it is not already installed.

If WinPcap software is not already present on a Windows platform, you must install it.

To install WinPcap on the Network Monitor Server:

1 Copy the WinPcap files to a local drive.

2 Run the WinPcap executable and follow the installation instructions.

3 Reset the Windows registry settings by running pcapstart.reg and follow the instructions that are displayed.

Additional details can be found in the Symantec Data Loss Prevention Installation Guide.

Procedure Step 5 : If necessary, update the Endace driver.

If you upgrade a Network Monitor Server to the current version, you may need to update the Endace card driver. See the Symantec Data Loss Prevention System Requirements and Compatibility Guide for information about supported Endace cards and drivers.

Updating an Endace Driver

1 Install the new driver as described by Endace documentation.

2 Reconfigure the Network Monitor to use the new driver. 

Procedure Step 6 : Disable checksum offloading for the NIC that is used to monitor network traffic. For Linux platforms, use the following commands to disable checksum offloading for both receiving and transmitted data on the eth0 interface:

ethtool -K eth0 tx off
ethtool -K eth0 rx off
To see the current status of checksum offloading, use the ethtool -k eth0 command.

Note: Certain checksum algorithms work by modifying network packets and adding empty checksums. Empty checksums can cause network capture
drivers to drop the packets, in which case they are not evaluated by Network Monitor.

Procedure Step 7 : Use a protocol analyzer such as Wireshark to validate traffic on the tap or SPAN that feeds into your NIC or Endace card.

Procedure Step 8 : Configure the Network Monitor Server.

You configure the Network Monitor Server by selecting the network interface (NIC or Endace card) to use for traffic capture. You must also select which protocols to monitor.

To configure a Network Monitor Server

A] In the Enforce Server administration console, go to System > Servers > Overview and click the Network Monitor Server. The Server Detail screen appears.
If you do not use a high-speed packet capture adapter (Endace or Napatech) for traffic capture, skip to step F.

B] If you use a high-speed packet capture adapter (Endace or Napatech), click Server Settings.

C] Enter the appropriate values in the following fields:

PacketCapture.ENDACE_BIN_PATH :  Type the path to the Endace \bin directory.

By default, this directory is located at endace_home\dag-version\bin (for example, on a Windows platform, c:\Program Files\Endace\dag-3.2.2\bin). Note that you cannot use variables (such as %ENDACE_HOME%) in any of the fields that are listed here.
PacketCapture.ENDACE_LIB_PATH :  Type the path to the Endace \lib directory
PacketCapture.ENDACE_XILINX_PATH :  Type the path to the Endace \xilinx directory.
PacketCapture.IS_ENDACE_ENABLED :  Change the value to true.

D] Stop and restart the Network Monitor Server. Symantec Data Loss Prevention displays the Endace card in the Network Interfaces field of the Configure Server screen for the Network Monitor Server. 

E] Go to System > Servers > Overview and again click on the Network Monitor Server. 

F] On the Server Detail screen, click Configure. You can verify or modify settings in the general section at top and on the Packet Capture tab, as described in subsequent steps. 

G] Leave the Source Folder Override field blank to accept the default directory for buffering network streams before the Network Monitor Server processes them. (This setting is the recommended setting.) To specify a custom buffer directory, type the full path to the directory. 

H] Leave the Archive Folder field blank. 

I] Select one or more Network Interfaces (NICs or Endace cards) through which the Network Monitor Server should capture traffic.

J] In the Protocol section, select one or more protocols to monitor. For example, select the check boxes for SMTP, HTTP, and FTP. For a protocol to appear in this section, it must already be configured on the global Protocols screen in the Enforce Server.
See the online Help associated with the Configure Server screen.

K] Click Save.

M] Stop and restart the Network Monitor Server. Click Recycle next to the Status entry in the Server Detail screen.

Procedure Step 9 : Create and deploy a test policy for Network Monitor.

For Network Monitor, you can create the policies that include any of the standard response rules. To set up a response rule action, go to Manage > Policies > Response Rules and click Add Response Rules.

To create a test policy for Network Monitor

a] In the Enforce Server administration console, create a response rule that includes one of the actions that applies to Network Monitor. For example, create a response rule that includes the All: Set Status action.

b] Create a policy that incorporates the response rule you configured in the previous step.
For example, create a policy called Test Policy as follows:

i) Include a Content Matches Keyword detection rule that matches on the keyword test_vontu_secret_keyword.

ii) Include an All: Set Status response rule.

iii) Associate it with the Default policy group.

As a policy author you can define a new policy from scratch or from a template.

To add a new policy or a policy template

Click Add Policy at the Manage > Polices > Policy List screen.
Choose the type of policy you want to add at the New Policy screen.

i) Select Add a blank policy to add a new empty policy.

ii) Select Add a policy from a template to add a policy from a template.

iii) Click Next to configure the policy or the policy template.

Procedure Step Last : Test the system by generating an incident against your test policy.

You can test Network Monitor by sending an email that violates your test policy.

To test your system

i)  Access an email account that routes messages through the MTA.
ii) Send an email that contains confidential data. For example, send an email that contains the keyword test_vontu_secret_keyword.
iii) In the Enforce Server administration console, go to Incidents > Network and click Incidents - New. Look for the resulting incident. For example, search for an incident entry that includes the appropriate timestamp and policy name.
iv) Click on the relevant incident entry to see the complete incident snapshot.

Comments 6 CommentsJump to latest comment

Artem's picture

Good guide.
In the Step 6 I would like to add:

Add the following lines to the startup script (/etc/rc.local):

#turn off offload
/sbin/ethtool -K eth0 tx off rx off

And SeLinux must be disabled on Linux-based server.

Best regards, Artem.

Login to vote
Lion Shaikh's picture

Dear Artem,

Duly noted, appreciate your co-operation.



Login to vote
Chetan Savade's picture

It looks interesting to me. Thanks!

Chetan Savade
Social Media Support Lead
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Login to vote
Lion Shaikh's picture

Thank you chetan for showing your interest.

Login to vote
Doraemon's picture

Hi Guys,

Hope that you can help me with my query on what do i need to input in "Source Folder Override" it is located SMTP Copy Rule Tab. i think this is also a part of network monitor. Im trying to use the single tier of symantec dlp 12.5 hope you can help me on what do i need to input.

Please see attached file

NEtwork Monitor.jpg
Login to vote
Napatech's picture


I noticed in your implementation note you didn't mention the Napatech packet capture cards are also supported as well with regard to Symantec's DLP solution.  If you are not familiar with our solutions verses Endace please let me know.

Login to vote