Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AngeloP
Participant

Threat Prevention Multiple Packet Captures

Hi,

 

During analysis i noticed checkpoint threat prevention module can sometimes capture multiple packets for a specific alert (3 different packet capture unique id's) but only one pcap is available for download. It does not seem to combine all of them into one file as there's only 1 packet seen in wireshark.

Is there a setting that allows to show all pcaps in the alert, are they all the same packets so only 1 is shown in wireshark, or do you have to go directly into the server storing the pcaps and get the others from there? (Last one wouldn't be great)

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

Unless you’ve explicitly configured a specific protection to capture packets, we only capture the first instance of it, thus there is only one packet capture. 

0 Kudos
AngeloP
Participant

Hi,

 

thank you for the reply, i can see 3 different unique id's for packets captured in the attached image from the alert, so that means that only the first packet of each instance is captured, but there were 3 instances? And because all 3 of them were the same (say there were 3 suppressed events) only 1 of those pcap's is possible for download (even though all 3 are stored), as all 3 should be the same?

0 Kudos
PhoneBoy
Admin
Admin

Right, it means the event happened three times, but we only captured one packet capture (should be the first instance of it).

0 Kudos