Re: Threat Prevention Multiple Packet Captures

AngeloP · ‎2022-10-05

Hi,

During analysis i noticed checkpoint threat prevention module can sometimes capture multiple packets for a specific alert (3 different packet capture unique id's) but only one pcap is available for download. It does not seem to combine all of them into one file as there's only 1 packet seen in wireshark.

Is there a setting that allows to show all pcaps in the alert, are they all the same packets so only 1 is shown in wireshark, or do you have to go directly into the server storing the pcaps and get the others from there? (Last one wouldn't be great)

PhoneBoy · ‎2022-10-06

Unless you’ve explicitly configured a specific protection to capture packets, we only capture the first instance of it, thus there is only one packet capture.

AngeloP · ‎2022-10-06

Hi,

thank you for the reply, i can see 3 different unique id's for packets captured in the attached image from the alert, so that means that only the first packet of each instance is captured, but there were 3 instances? And because all 3 of them were the same (say there were 3 suppressed events) only 1 of those pcap's is possible for download (even though all 3 are stored), as all 3 should be the same?

PhoneBoy · ‎2022-10-06

Right, it means the event happened three times, but we only captured one packet capture (should be the first instance of it).

Are you a member of CheckMates?

Threat Prevention Multiple Packet Captures