About packet capture

The appliance uses log evidence and rolling packet captures to gather evidence about security events. Learn where to configure these features and about their behavior.

Log evidence

Evidence logging copies a packet that triggers an event to a log file so you can determine exactly what an intruder did or attempted to do. Evidence logging captures packets that summarize web protection events, security events, user-defined events, connection events, and response filters.

Where to configure. You can configure options for log evidence in the following areas:
  • Event or filter page: Define the scope of packet capture for the event or filter. For example, choose to capture specific traffic or choose to capture all traffic passing through an interface at the same time the event occurs.
  • Log Evidence tab in the Responses area: Define how many log evidence files the appliance stores, the size of the capture files, and the file format.
  • Tuning Parameters page: Add or edit the parameter engine.logevidence.file.timeout. This parameter defines how long evidence logging captures packets when the suspicious traffic is idle. The default value is 15 minutes, the minimum value is 5 minutes, and the maximum value is 30 minutes.
Note: Consider possible performance issues when choosing log evidence options. Log evidence options that are too general or too large might affect performance.

Relationship between log evidence options on the event/filter page, the Log Evidence tab and the Tuning Parameters page. All log evidence options work together to define the log evidence feature. For example, if you set the appliance to capture a Connection on the event or filter page, then the appliance captures all suspicious traffic that matches the connection criteria. The appliance also applies the maximum values from the log evidence tab to the packet capture and sets a time limit for the capture. If the packet capture meets any of the maximum values before the time limit is reached, then the appliance stops the packet capture operation. Also, if the suspicious connection session remains open, sends no suspicious packets for 15 minutes, and meets none of the maximum values, the packet capture operation stops.

Table 1. Log evidence examples
Packet capture controlled by the log evidence tab Packet capture controlled by the log evidence tuning parameter
  • Log evidence tab maximum values set
  • Event or filter page log evidence option set to Connection
  • Log evidence tuning parameter set to 15 minutes
  • A suspicious event occurs
  • Appliance applies maximum values to the packet capture
  • Appliance captures all traffic that matches the connection
  • Appliance applies a time limit to the packet capture
  • Suspect connection traffic continues to occur for 12 minutes; however, it exceeds the number of packets per event maximum value
  • Appliance stops the packet capture, even though the connection traffic is still occurring and the packet capture file has not recorded for 15 minutes
  • Log evidence file is available to download from the Logs and Packet Capture page
  • Log evidence tuning parameter set to 15 minutes
  • Log evidence tab maximum values set
  • Event or filter page log evidence option set to Connection
  • A suspicious event from an SSH session occurs
  • Appliance applies time limit to the packet capture
  • Appliance applies maximum values to the packet capture
  • Appliance captures all traffic that matches the connection
  • Suspicious SSH session remains open but has not sent any packets for 15 minutes
  • Appliance stops the packet capture, even though the suspicious session remains open and the packet capture has not met any of the maximum values
  • Log evidence file is available to download from the Logs and Packet Capture page

Rolling packet capture

The rolling packet capture feature captures events according to a specified interface. Configure this feature on the Rolling Packet Capture page. You can define how many rolling packet capture files the appliance stores and the size of the files. Also configure the interface from where the appliance captures packets and the packet capture file format.