Investigate: Event Analysis View - Packet Analysis Panel

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Oct 24, 2017
Version 9Show Document
  • View in full screen mode

In the Packet Analysis panel (Event Analysis > Packet Analysis), you can safely view and interactively analyze the packets and payload of an event that you found in the Navigate view or the Events view.


the Investigate workflow with Conduct Interactive Analysis highlighted

What do you want to do?

User RoleI want to ...Documentation

Threat Hunter

submit queryBeginning an Investigation of a Service or Collection
Threat Hunterview query resultsConducting an Investigation

Threat Hunter

reconstruct an event

Reconstruct an Event

Threat Hunter

analyze an event*

Analyze Events in the Event Analysis View

Threat Hunter export files from an event* Analyze Events in the Event Analysis View
Threat Hunterconduct malware analysisConducting Malware Analysis

Incident Responder

investigate an incident

NetWitness Respond User Guide

*You can perform this task in the current view.

Related Topics

Quick Look

Only network events can be analyzed in the Packet Analysis panel. The Packet Analysis panel lists each packet in the event. For each packet, you can see the packet number, the direction (Request or Response), and the packet contents ascii format on the left, hexadecimal format in the middle, and text format on the right. The list of packets is scrollable. When you scroll, the packet or text identification information as well as the Request and Response labels remain visible rather than scrolling out of view.

Each packet is displayed with shading and highlighting to help identify common file patterns: significant header and payload bytes, hexadecimal and ascii bytes, and common file signatures. In addition, you can adjust the request/response display, and display or hide the packet summary.

Below is an example of ther Packet Analysis panel.

Example of the Packet Analysis with labels

1Options for exporting a network event. You can export a PCAP, all payloads, request payloads, or response payloads for deeper analysis and to share with others.
2The option to identify common file signatures is activated by default. Common file signatures are highlighted in orange (7); hovering over the highlight reveals the file type.
3The Shade Bytes option adds shading to identify the different hexadecimal bytes (00 to FF) using degrees of highlighting.
4The option to display payloads only hides the packet headers, leaving more space for the payload.
5The Event Header.
6Significant bytes are highlighed in a blue background; as you move the cursor over the highlighting the meta data is displayed in a hover box. For example, Header Meta ip.proto=6 is a tooltip for highlighted meta data in the hexadecimal and binary representation of the packet header.
7Orange highlighting identifies a common file signature. Moving the mouse over the area displays the possible file type in a hover box.
You are here
Table of Contents > Investigation Reference Materials > Event Analysis View - Packet Analysis Panel