Decoder: Upload Packet Capture File

Document created by RSA Information Design and Development on Mar 22, 2017Last modified by RSA Information Design and Development on Sep 25, 2017
Version 3Show Document
  • View in full screen mode
  

This topic explains how to import a packet capture file to a Decoder.

There are occasions when you want to analyze a packet capture file that is not available on the service you are using. You can upload a file captured on another service to Security Analytics. Supported packet capture file types are pcap and pcap.gz.

When a packet capture file is uploaded to a Decoder, the Decoder creates sessions from the packet capture file packets. These sessions are added to the already decoded sessions on the Decoder and are available for analysis. Security Analytics includes a filename tracking option that makes searching for a particular set of sessions easier. When the packet capture file is uploaded with file tracking, the Decoder adds meta to the sessions based on the uploaded filename. You can then filter sessions for analysis using that meta.

The option to upload a packet capture file is dimmed when other Decoder operations prevent an upload from occurring; for example, when the Decoder is capturing packets. 

Procedure

To select and upload a packet capture file:

  1. In the Security Analytics menu, select Administration >Services.

    The Administration Services view is displayed.

  2. Select the Decoder name, and Actions menu cropped > View > System.

    The Services System view for the Decoder is displayed.

  3. In the toolbar, click Upload Packet Capture File.

    The Upload Packet Capture File dialog is displayed.

    104UploadPacketCaptFile.png

  4. To choose a capture file, click Select.

    A directory view is displayed.

  5. Browse the directory and select the packet capture file that you want to upload.

    The filename is displayed in the Upload File(pcap,pcap.gz) field.

  6. If you want the Decoder to add meta to the sessions based on the filename, click the checkbox next to Track Filename.
  7. To upload the file, click Upload.

    A progress bar shows upload progress.

    104UploadingPackCaptFile.png

    Upload time varies depending on the size of the file. When the file upload is complete, a status message is displayed. The file is now available for investigation.

You are here
Table of Contents > Additional Procedures > Upload Packet Capture File

Attachments

    Outcomes