When a Decoder starts up, it automatically begins aggregating data if Capture Autostart is enabled. When autostart is not enabled, you can start and stop data capture manually.
Note: The Capture Configuration Settings in the Service Config view for a Decoder determine whether Capture Autostart is enabled, as well as adapter, cache, data base, and hash settings.
To start and stop capture:
- In the Security Analytics menu, select Administration > Services.
- In the Admin Services view, select a Decoder or Log Decoder service, and select > View > System.
- In the toolbar, click Start Capture.
If the service is a Decoder, it begins capturing packets. If the service is a Log Decoder, it begins capturing logs.
When packet or log capture is in progress, the option in the toolbar changes to Stop Capture, and the option to upload a file is unavailable.
- Whenever you want to discontinue traffic capture on a Decoder, click Stop Capture.
Packet or log capture ceases, and the option to upload a file to the service is again available.