Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

PCAP Data

 

If your JSA Console is configured to integrate with the Juniper Junos OS Platform DSM, then Packet Capture (PCAP) can be received, processed, data can be stored from a Juniper SRX-Series Services Gateway log source.

For more information about the Juniper Junos OS Platform DSM, see the Juniper Secure Analytics Configuring DSMs Guide.

Displaying the PCAP Data Column

The PCAP Data column is not displayed on the Log Activity tab by default. When you create search criteria, you must select the PCAP Data column in the Column Definition pane.

Before you can display PCAP data on the Log Activity tab, the Juniper SRX-Series Services Gateway log source must be configured with the PCAP Syslog Combination protocol. For more information about configuring log source protocols, see the Juniper Secure Analytics Log Sources Users Guide.

When you perform a search that includes the PCAP Data column, an icon is displayed in the PCAP Data column of the search results if PCAP data is available for an event. Using the PCAP icon, you can view the PCAP data or download the PCAP file to your desktop system.

  1. Click the Log Activity tab.
  2. From the Search list box, select New Search.
  3. Optional. To search for events that have PCAP data, configure the following search criteria:
    1. From the first list box, select PCAP data.

    2. From the second list box, select Equals.

    3. From the third list box, select True.

    4. Click Add Filter.

  4. Configure your column definitions to include the PCAP Data column:
    1. From the Available Columns list in the Column Definition pane, click PCAP Data.

    2. Click the Add Column icon on the bottom set of icons to move the PCAP Data column to the Columns list.

    3. Optional. Click the Add Column icon in the top set of icons to move the PCAP Data column to the Group By list.

  5. Click Filter.
  6. Optional. If you are viewing events in streaming mode, click the Pause icon to pause streaming.
  7. Double-click the event that you want to investigate.

For more information about viewing and downloading PCAP data, see the following sections:

Viewing PCAP Information

From the PCAP Data toolbar menu, you can view a readable version of the data in the PCAP file or download the PCAP file to your desktop system.

Before you can view PCAP information, you must perform or select a search that displays the PCAP Data column.

Before PCAP data can be displayed, the PCAP file must be retrieved for display on the user interface. If the download process takes an extended period, the Downloading PCAP Packet information window is displayed. In most cases, the download process is quick and this window is not displayed.

After the file is retrieved, a pop-up window provides a readable version of the PCAP file. You can read the information that is displayed on the window, or download the information to your desktop system.

  1. For the event you want to investigate, choose one of the following options:
    • Select the event and click the PCAP icon.

    • Right-click the PCAP icon for the event and select More Options >View PCAP Information.

    • Double-click the event that you want to investigate, and then select PCAP Data >View PCAP Information from the event details toolbar.

  2. If you want to download the information to your desktop system, choose one of the following options:
    • Click Download PCAP File to download the original PCAP file to be used in an external application.

    • Click Download PCAP Text to download the PCAP information in .TXT format

  3. Choose one of the following options:
    • If you want to open the file for immediate viewing, select the Open with option and select an application from the list box.

    • If you want to save the list, select the Save File option.

  4. Click OK.

Downloading the PCAP File to Your Desktop System

You can download the PCAP file to your desktop system for storage or for use in other applications.

Before you can view a PCAP information, you must perform or select a search that displays the PCAP Data column. See Displaying the PCAP data column.

  1. For the event you want to investigate, choose one of the following options:
    • Select the event and click the PCAP icon.

    • Right-click the PCAP icon for the event and select More Options >Download PCAP File .

    • Double-click the event you want to investigate, and then select PCAP Data >Download PCAP File from the event details toolbar.

  2. Choose one of the following options:
    • If you want to open the file for immediate viewing, select the Open with option and select an application from the list box.

    • If you want to save the list, select the Save File option.

  3. Click OK.