Skip to content

Network capture ports

The Sophos VA captures network packets via Switched Port Analyzer (SPAN) ports. The VA has SPAN Port 1 (ens160) turned on by default.

Network capture

You might have multiple switches that are able to send Switched Port Analyzer (SPAN) traffic to the VA.

To find out more about setting up Sophos switches for SPAN, see the Configure your switches section of Sophos NDR.

You can collect this traffic by turning on SPAN Port 2.

To do this, do as follows:

  1. Use the arrow keys to go to Span Port 2 ( ) On.
  2. Press Spacebar to turn the second port on.

    You see an X in the brackets.

  3. Go to Save and press Spacebar.

Network capture save

Encapsulated SPAN traffic

The Sophos VA can also collect encapsulated SPAN traffic. The Sophos VA supports VXLAN and GRE tunnel protocols.

Follow the instructions for VXLAN or GRE.

To turn on VXLAN, do as follows:

  1. Use the arrow keys to go to VXLAN and press Spacebar

    You see an X in the brackets.

  2. In IP Address enter the IP address of the VTEP interface.

  3. In VXLAN ID, enter the ID. This must match the VXLAN encapsulated source configuration.
  4. In VXLAN Port enter the default VXLAN port. This must match the VXLAN encapsulated source configuration.

VXLAN configuration

Select Save to save your changes. They take effect immediately.

To turn on GRE, do as follows:

  1. Use the arrow keys to go to GRE and press Spacebar.

    You see an X in the brackets.

  2. In IP Address, enter the IP address of the GRE target interface.

  3. In GRE Port, enter the default GRE port. This must match the GRE encapsulated source configuration.

Select Save to save your changes. They take effect immediately.

It's common to see SPAN and VXLAN encapsulated SPAN ports in the same configuration. Using VXLAN and GRE on the same Sophos VA is rare.