Introduction

The Local PCAPs page (Network section) is presented as a list view that shows PCAPs that Field Effect has saved. These are usually generated automatically because of an alert or security event. This allows for deeper investigations into specific security events that Field Effect has observed. When viewing Network type alerts on the Alerts page, you may see an available PCAP link that coincides with the alert. Clicking the PCAP link will take you to this view.

This article introduces the PCAPs page and how to navigate it, as well as how to use the predictive search functionality, edit and filter columns, and sort the view.

Navigating the PCAPs Page

The List View

This page is a table showing all PCAP reports. Columns can be resized, rearranged, and shown or hidden to suit your needs.

The Details View

Clicking a row will expose more details about the selected PCAPs report along bottom of the table.

The Details view can also be expanded into a modal view using the Expand icon.

Downloading PCAPs

To download a PCAP, click the Download icon in the line item representing the desired file. It will be downloaded to your browser’s default downloads folder.

PCAPS are usually created automatically but tasked asynchronously. Because of this, it may take some time between the request and file being available. The status icon indicates weather the files is ready for download. Line items with a clock icon in the status are still processing and line items showing a green checkmark are available.

Note that for security reasons, files are compressed and encrypted and cannot be viewed by clients when downloaded.

Editing Columns

Columns can be shown or hidden to suit your needs. To edit a view’s columns, click Edit Columns from the view you want to adjust. The Edit Columns tool will open, listing all the columns available. Use the checkmarks to select the columns you want to use in the table. Uncheck columns will not be visible. Once you’ve made your selections, click Apply.

The size of each column can also be adjusted. Use the arrows in the column header to sort and drag the edge of the column to adjust the width.

Downloading PCAP Reports

Clicking on a line item’s Download icon will open the report, revealing more tabs related to the specific report.

Searching for PCAP Reports

The search bar leverages logic that allows you to create custom queries to find and filter alerts. You can use logic to create your own searches (the “Category” column contains “XYZ”) or perform keyword searches.

After selecting a suggested column from the dropdown, suggested logic statements become visible. Select the logic statement that suites your search to continue.

After selecting a logic statement, suggested search choices, specific to the selected column, will become visible. In the example below, the user chose the Completed Time column and Contains logic statement. Therefore, the dropdown shows available UTC times found in the list as suggestions.

Also note that you are not restricted to suggestions, you can add custom search queries to logic statements, or perform basic keywork searches.

Sorting & Filtering PCAP Reports

To sort the list, click on a column header to toggle between a descending or ascending order for the selected column. You can also use the “Order By” feature shown as a suggested search function.

To filter the list, you can use the “Is Not” or “Is Null” suggestions. Using “Is not” will query results that do not include selected suggestions or provided keywords. The “Is Null” suggestion will query items with no content in the selected column.

As you make selections, you will be prompted with suggestions as shown above in Searching for PCAP Reports.

Exporting Results

You can export the entire list of alerts, or a filtered subsection, using the Export .csv icon. The export will be downloaded to your default folder.