Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
sanja
Explorer

Packet capture option

Hello,

 

I did some research regarding packet capture option, and couldn't find clear answer so I have to ask here 🙂

Documentation states that this option is enabled by default for some blades, and  I cannot find for which blades it is enabled by default. 

Also, in log entry I can find link to download pcap just for malicious trafffic (for example, IPS prevented traffic). What about Threat Emulation blade?

 

Labels (3)
0 Kudos
7 Replies
_Val_
Admin
Admin

Threat Emulation packet capture would mean you capture the whole file as part of the logs. That would be too heavy.

0 Kudos
sanja
Explorer

Hi, thanks for the reply. What about other blades? 

0 Kudos
Timothy_Hall
Champion
Champion

Pretty sure only the Threat Emulation, IPS, Anti-Virus, and Anti-Bot blades can generate packet captures.  Content Awareness can show a redacted copy of the offending Data Type, but it is not a full packet capture.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
PhoneBoy
Admin
Admin

Pretty sure PCAP is only done for IPS and only for the malicious packet.

0 Kudos
Timothy_Hall
Champion
Champion

Packet Captures are done for Anti-Virus too:

av_pcap.jpg

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
sanja
Explorer

Thanks!

Is it safe to keep these default settings, cause security gateways are having some performance issues at the moment (memory consumption is too high)?

0 Kudos
Amir_Senn
Employee
Employee

AB/AV - have a packet capture but not all the time, depends on the attack type and prevention method.

IPS - defined per attack. For some attacks it's on by default and for some it's off.

Threat Emulation - not a packet capture but a Forensic Report. See Attached.

You can keep default settings, no performance degradation should be caused by normal usage.

Capture.PNG

Kind regards, Amir Senn