Enabling or disabling packet capture

You can enable packet capture in the default or any custom IDPS profile. When packet capture is enabled, traffic is recorded when an IDPS signature is triggered and can be used for analysis, for example, to investigate false positives or to troubleshoot. Traffic is recorded only for sessions that fall under an IDPS profile in which packet capture is enabled.

Packet capture works both on plain traffic and encrypted traffic after it has been decrypted.

Enabling packet capture significantly slows down the solution. Use this feature only when necessary and be sure to disable it after getting the packages you need. We recommend separately creating an IDPS profile with packet capture enabled and adding it to a security rule with traffic qualifiers configured to capture only the traffic you need.

To enable packet capture:

1. In the main menu of the Open Single Management Platform Console, go to the Application & Services → NGFW section.
2. Select the Objects tab, then select Security profiles → IDPS.

   This opens a list of IDPS profiles.

3. Open the profile editing window in one of the following ways:
   • Click the name of the profile.
   • Select the check box next to the profile that you want to edit and click Edit.
4. To enable packet capture, you must also enable logging.
5. In the Packet Capture section, set the toggle switch to On or Off. This feature is disabled by default.
6. Confirm to enable packet capture.
7. Click Save to save the changes to the profile.
8. Apply the OSMP policy changes by clicking the Commit and push button.

Packet capture is enabled or disabled for the selected profile.

You can also enable packet capture when creating a profile.

Page top