cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

R80.10 IPS packet capture...how does it work?

Ok so my question is how does the packet capture feauture works? For the Threat prevention policy in the track field i have selected log and packet capture. I presume that it will do a packet capture for all the activated IPS protections for that profile.Is this true? For a specific protection tab for Capture packets it says "Relevant only for pre R80 gateways...for R80 gateway the packet capture is defined by the policy. This is the reason i think it will do a packet capture for all the active protections in the profile for R80.10 gateways.Does the packet capture works only if the action is detect or will it work even if the action is prevent because in that case the session is blocked?

As for the location of packet capture .cap files they are stored on the gateway in the directory: $FWDIR/log/forensics.

Minor issue is the naming of theese files...look at the screenshot

In the logs on the secure management server the relevant data is session ID but you have to cut out the 0x part of it when you grep for a cap file.

0 Kudos
3 Replies

Re: R80.10 IPS packet capture...how does it work?

Hi,

works on Prevent too - of course you´ll not see that much, :smileyhappy::

the linked .eml file (Packet Capture) is a mail with the capture attached. 

attached capture:

That does not work for all prevented sessions, i.e. where nothing is really sent.. 

Daniel

Re: R80.10 IPS packet capture...how does it work?

Thanks Daniel,

good to know that it does capture packets for the signatures in prevent mode. What about the "scope of protections" that the packet capture is done for?Does it capture for all active protections because i can see  sk121605 where there is a need for a Hotfix in order to see the packet capture?

Delo

0 Kudos

Re: R80.10 IPS packet capture...how does it work?

Hi Delo,

I did not run into it, so I did not need the hotfix. (reinstalled my lab a week ago or so Smiley Happy )

according to the article it occured sometimes. and looks like PSL, which is used to create the capture was not found by the deamon.

With protected scopes you can apply special protections to i.e. a server, which is more exposed than others. 

According to the policy, the capture is triggered for all prevented/detected connections, yes.

Daniel