When creating or editing event types, you can enable the automatic saving of traffic for events when they are registered. If saving of traffic is enabled, the network packet that invoked event registration as well as packets before and after event registration are saved in a database. The settings for saving traffic determine the number of saved network packets and time limits.
If automatic saving of traffic is disabled for an event type, you will be able to manually load traffic only after waiting some time after registration of an event of this type. In this case, the application uses traffic dump files to load traffic (these files are temporarily saved and are automatically deleted as more and more traffic is received). When traffic is loaded from these files, the database saves the specific amount of network packets that was defined by default when enabling the saving of traffic for event types.
The application saves traffic in the database only when an event is registered. If the conditions for registering this event are repeated during the event regenerate timeout, traffic at this point in time is not saved in the database.
You can enable and configure the saving of traffic for any event types except a system event type assigned the code 4000002700. An event with the code 4000002700 is registered when there is no traffic at a monitoring point. For this reason, traffic is not expected for this type of event.
If the saving of traffic is enabled for incidents (meaning for system types of events assigned the codes 8000000000, 8000000001, 8000000002 or 8000000003), the application saves traffic for all embedded events of the incident when an incident is registered. The settings defined for the incident are applied when saving traffic of embedded events. However, the traffic storage settings defined directly for types of events embedded in an incident take priority over the settings defined for an incident. This means that traffic for embedded events of an incident will be saved according to the settings defined for the specific types of these events. If these settings are not defined, the traffic for embedded events will be saved according to the settings defined for an incident.
Enabling and configuring the saving of traffic for incidents is sufficient for one of the event types with codes 8000000000, 8000000001, 8000000002 or 8000000003. The application automatically applies the changes made to one of these event types to the remaining three types.
To configure the settings for saving traffic for an event type:
For certain technologies (particularly Deep Packet Inspection), fewer post-registration packets than defined by the settings for saving traffic may be saved in events. This is due to the technological specifics of traffic monitoring.