There are occasions when you want to analyze a packet capture file that is not available on the service you are using. You can upload a file captured on another service to Security Analytics. Supported packet capture file types are pcap and pcap.gz.
When a packet capture file is uploaded to a Decoder, the Decoder creates sessions from the packet capture file packets. These sessions are added to the already decoded sessions on the Decoder and are available for analysis. Security Analytics includes a filename tracking option that makes searching for a particular set of sessions easier. When the packet capture file is uploaded with file tracking, the Decoder adds meta to the sessions based on the uploaded filename. You can then filter sessions for analysis using that meta.
The option to upload a packet capture file is dimmed when other Decoder operations prevent an upload from occurring; for example, when the Decoder is capturing packets.
To select and upload a packet capture file:
- In the Security Analytics menu, select Administration >Services.
The Administration Services view is displayed.
- Select the Decoder name, and > View > System.
The Services System view for the Decoder is displayed.
- In the toolbar, click Upload Packet Capture File.
The Upload Packet Capture File dialog is displayed.
- To choose a capture file, click Select.
A directory view is displayed.
- Browse the directory and select the packet capture file that you want to upload.
The filename is displayed in the Upload File(pcap,pcap.gz) field.
- If you want the Decoder to add meta to the sessions based on the filename, click the checkbox next to Track Filename.
- To upload the file, click Upload.
A progress bar shows upload progress.
Upload time varies depending on the size of the file. When the file upload is complete, a status message is displayed. The file is now available for investigation.