AnsweredAssumed Answered

R80.10 IPS packet capture...how does it work?

Question asked by Djelo Arnautalic on Jul 26, 2018
Latest reply on Jul 26, 2018 by Daniel Meier

Ok so my question is how does the packet capture feauture works? For the Threat prevention policy in the track field i have selected log and packet capture. I presume that it will do a packet capture for all the activated IPS protections for that profile.Is this true? For a specific protection tab for Capture packets it says "Relevant only for pre R80 gateways...for R80 gateway the packet capture is defined by the policy. This is the reason i think it will do a packet capture for all the active protections in the profile for R80.10 gateways.Does the packet capture works only if the action is detect or will it work even if the action is prevent because in that case the session is blocked?

As for the location of packet capture .cap files they are stored on the gateway in the directory: $FWDIR/log/forensics.

Minor issue is the naming of theese files...look at the screenshot

In the logs on the secure management server the relevant data is session ID but you have to cut out the 0x part of it when you grep for a cap file.

Outcomes