Investigate: Event Analysis View - Packet Analysis Panel

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 16Show Document
  • View in full screen mode
 

In the Packet Analysis panel (Event Analysis > Packet Analysis), you can safely view and interactively analyze the packets and payload of an event.

Workflow

the Investigate Workflow with Analyze Raw Events and Metadata highlighted

What do you want to do?

                                                                              
User RoleI want to ...Show me how
Threat Hunter

browse event metadata

Begin an Investigation in the Navigate or Events View

Threat Hunter

browse raw events

Begin an Investigation in the Navigate or Events View

Threat Hunter analyze raw events and metadata

Begin an Investigation in the Event Analysis View

Threat Hunter

query events in the Event Analysis view (Version 11.1)

Filter Results in the Event Analysis View

Threat Hunterexport events and files in the Event Analysis view*Download Data in the Event Analysis View

Threat Hunter

reconstruct events in the Event Analysis view*

Examine Events in the Event Analysis View

Threat Hunterperform external lookups from the Event Analysis view (Version 11.1)* Act on Data in the Event Analysis View
Threat Hunter query events in the Navigate view Investigating Metadata in the Navigate View

Threat Hunter

query events in the Events view

Examining Raw Events in the Events View

Threat Hunterinvestigate endpoints (Version 11.1)Investigate Hosts

Threat Hunter

find suspicious endpoint files (Version 11.1)

Investigate Files

Threat Hunterscan files and events for malwareConducting Malware Analysis

Incident Responder

triage an incident in Investigate

NetWitness Respond User Guide

*You can perform this task in the current view.

Related Topics

Quick Look

Only network events can be analyzed in the Packet Analysis panel. The Packet Analysis panel lists each packet in the event. The list of packets is scrollable. When you scroll, the packet or text identification information as well as the Request and Response labels remain visible rather than scrolling out of view.

In Version 11.1 and later, you can use pagination controls to go backward and forward through the pages, go to a specific page, and select the number of packets to display per page (100, 300, or 500).

Each packet is displayed with shading and highlighting to help identify common file patterns: significant header and payload bytes, hexadecimal and ascii bytes, and common file signatures. In addition, you can adjust the request/response display, and display or hide the packet summary.

Below is an example of the Packet Analysis panel with labels to identify features. For details and examples of each feature, see Examine Events in the Event Analysis View.

the Packet Analysis panel with labeled features

                                 
1Options for exporting a network event. You can export a PCAP, all payloads, request payloads, or response payloads for deeper analysis and to share with others.
2The option to identify common file signatures is activated by default. Common file signatures are highlighted in orange; hovering over the highlight reveals the file type.
3The Shade Bytes option adds shading to identify the different hexadecimal bytes (00 to FF) using degrees of highlighting.
4The option to display payloads only hides the packet headers, leaving more space for the payload.
5The Event Header.
6Significant bytes are highlighted in a blue background; as you move the cursor over the highlighting the meta data is displayed in a hover box.
7

(Version 11.1 and later) Packet pagination controls allow more flexibility in paging through a list of packets. When a control is unavailable, the image is dimmed; for example, when you are viewing page 1, the the pagination button to go to page 1 and the pagination button to go to the previous page controls are dimmed.

the pagination button to go to page 1 - Go to the first page

the pagination button to go to the previous page - Go to the previous page

the field to select a specific page number - Go to a specific page

the pagination button to go to the next page - Go to the next page

the pagination button to go to the last page - Go to the last page

the number of packets per page selector - Select the number of packets per page

You are here
Table of Contents > Investigate Reference Materials > Event Analysis View - Packet Analysis Panel

Attachments

    Outcomes