MÓDULO SPAN.Art — primer¶
Help Center primer for SPAN.Art — line-rate packet capture. Pairs with ADR 0024.
What it does¶
Captures bench-side packets at line rate, extracts TLS metadata (JA3/JA4/cipher/SNI/ALPN), cross-correlates with NGFW Syslog records to detect log drops + misclassification, and feeds the richest URL source into PURE Discovery Hub.
Slot: OOBI .230 (single instance).
When to use¶
- Cross-vendor TLS metadata — JA3/JA4 fingerprints, cipher negotiation observed on the wire (NGFW logs are vendor-specific; SPAN gives ground truth)
- DUT validation — comparing what the DUT logged vs what actually crossed the wire catches drops + misclassifications
- PURE Discovery Hub source #6 — richest URL source for PURE Test Kind (full SNI + Host visible)
5 ingest tiers (pick at install)¶
| Tier | Backend | Bandwidth | Use when |
|---|---|---|---|
| T1 | libpcap | up to 1 Gbps | dev, lab, single-tenant |
| T2 | AF_XDP | 1-10 Gbps | mid-bench (most customers) |
| T3 | DPDK | 10-40 Gbps | large bench, dedicated NIC |
| T4 | SmartNIC offload | 40-100 Gbps | enterprise, NIC-side filtering |
| T5 | external switch SPAN | 100+ Gbps | external collector, SPAN ingress over copper |
Tier picked at install via the Lab Deployment Staging wizard (Phase 5 capacity check). Misconfigured tier → preflight warns + suggests next viable tier.
What gets extracted¶
TLS metadata (always available)¶
- JA3 ClientHello fingerprint
- JA4 ClientHello + extensions fingerprint
- Cipher suite negotiated
- SNI value
- ALPN (h2 / h3 / etc.)
HTTP metadata (when DUT decrypts)¶
- Host header
- Path
- User-Agent (PII-stripped per RELAY rules — see ADR 0020)
Flow metadata (always)¶
- 5-tuple (src/dst IP/port + proto)
- Bytes / packets per flow
- Flow duration
DUT validation cross-correlation¶
SPAN captures packet on wire (in-line)
↓ TLS metadata extracted
SYSLOG.Art receives matching NGFW log (out-of-band)
↓
SPAN cross-correlator compares:
- same flow? same source? same destination?
- DUT classification matches observed traffic?
- DUT logged the flow at all? (← drop detection)
↓
Validation report → FLOW.Art TSDB
If the NGFW says "this flow was inspected as Application=Foo" but SPAN sees Application=Bar based on DPI → DUT misclassification flag.
If SPAN sees a flow but no NGFW log shows up within 30s → log drop flag.
Performance envelope per tier¶
| Tier | CPU | Memory | NIC | Disk |
|---|---|---|---|---|
| T1 | 2c | 8 GB | 1 Gb | 100 GB SSD |
| T2 | 4c | 16 GB | 10 Gb (XDP-capable) | 500 GB NVMe |
| T3 | 8c (DPDK pinned) | 32 GB hugepages | 40 Gb DPDK NIC | 1 TB NVMe |
| T4 | 8c (SmartNIC offload) | 32 GB | 100 Gb SmartNIC (P4) | 2 TB NVMe |
| T5 | external | n/a | n/a | n/a |
Storage retention¶
PCAP files retained 7 days by default (compliance forensics).
Configurable per kubectl edit configmap span-art-config.
JA3/JA4 fingerprint summaries retained indefinitely (small footprint).
Common questions¶
T3+ requires DPDK kernel module — how do I install? Multi-step; see the install runbook. T2 (AF_XDP) is recommended starting point for most customers.
Will SPAN see TLS-decrypted HTTP if DUT does decrypt? Only if SPAN is positioned downstream of the DUT-side decryption point. By default SPAN is on the OOBI side and sees encrypted bytes only. Operator can attach SPAN to a downstream tap if HTTP visibility is required.
PCAP files are huge — can I sample? Configure sample_rate=
0.01 (1%) in the configmap. Reduces storage 100× at cost of
incomplete forensic trail.
Where does the DUT cross-correlator live? In the SPAN.Art pod itself; processes events in real time and writes deltas to FLOW.Art.
Related¶
- ADR 0024 — design lock
- PURE primer — Discovery Hub source #6
- Lab Deployment Staging primer — Phase 5 capacity