Packet Capture
Packet Capture tasks are defined and deployed on a per-sensor basis. A single task can be deployed to one, all, or any combination of sensors. Each sensor can spool up to four individual tasks, but only one task may run at once.
The active task will execute for 60 minutes or until it captures 1 MB of data, whichever comes first. Once either of those conditions are met, the active task will pause and the next spooled task will execute. The same task will begin again if it is the only one spooled. Tasks will continue to be spooled until they pass the specified expiration time or are terminated manually.
Packet capture tasks can have one of two states:
| State | Description |
|---|---|
| Active | The task is currently in rotation for execution. |
| Inactive | The task has reached the requested end time or has been terminated by a user. |
Packet capture tasks can be created, viewed, or terminated from the Packet Capture page. All tasks, both Active and Inactive, are displayed by default.
Reviewing a task
Click a task on the page to view metadata for the task and any PCAP data captured. Each execution of a task will produce exactly one log file and one PCAP.
-
The log file will specify the start and end times of the respective execution .
-
The PCAP will contain any captured traffic.
The PCAP will be empty if no traffic matched the BPF. Each file collected as part of the PCAP task can then be downloaded and viewed within WireShark or another preferred PCAP analysis tool. You can adjust which files are displayed (only PCAP, all PCAP, only non-empty PCAP) by checking or unchecking the respective options on the task page.
