Traffic
Traffic Overview
The Traffic section offers a comprehensive overview of all the recorded traffic by the application. These events provide network administrators, analysts, and security experts with a abundent of data to monitor, investigate and respond to network-related occurrences.
By leveraging the information gathered in the Traffic module, users can proactively detect and address network anomalies, identify suspicious activity and enhance the overall security of their infrastructure.
This section enables seamless exploration, searching, and in-depth analysis of individual data entries stored in the database, ensuring an intuitive and efficient user experience.
Most of the packet/flow properties/attributes in the Traffic View tab are self explanatory and they include:
| Name | Attribute |
|---|---|
| Source and destination IP addresses | SrcIP and DstIP |
| Source and destination MAC addresses | SrcMAC and DstMAC |
| Source and destination ports | SrcPort and DstPort |
| Protocol | Protocol |
| Header length | HeaderLength |
| Content | Content |
| ... | ... |
An exhaustive list of attributes cannot be provided, as they vary depending on the protocols, traffic types, and network technologies in use, each carrying its own specific data. Generally, these fields follow standard naming conventions, making their meaning and interpretation clear from the context.
Additionally, certain properties and attributes related to traffic are specifically added by the NETALERT application.
The following section outlines the most important fields in detail:
| Name | Attribute | Description |
|---|---|---|
| Flow GUID | Flow_GUID | A unique identifier assigned to each traffic flow, representing a structured request-response communication |
| Packet GUID | Packet_GUID | A unique identifier assigned to individual traffic packets |
| UTC Time | UTC_ISO8601 | The timestamp indicating when the flow or packet was recorded |
| Timestamp in DB | insertTimestamp | The timestamp indicating when the flow or packet data was stored in the database |
| Termination Status | status | Indicates the method by which the connection was closed. Possible values: Normal, Running, Timeout. |
| Connection Status | ConnectionStatus | Displays the status of the flow connection. Possible values: CLOSED, CONNECTING, ESTABLISHED, RESET, TIMEOUT, REQUEST, RESPONSE. The values CLOSED, CONNECTING, ESTABLISHED, RESET refer to TCP flows and TIMEOUT, REQUEST, RESPONSE refer to UDP traffic. |
| Tag | DetectedTrafficTag | A classification tag assigned to flows or packets. Possible values include: TCP_FLow, TrafficDNS, TrafficSMTP, TrafficICMP, TrafficDHCP, TrafficSSL, TrafficKerberos, TrafficUnknown. |
Flow Information
The NETALERT solution provides a detailed network traffic analysis through packet capture and flow data interpretation, ensuring full visibility into network activity while contributing to the rapid detection of threats and the optimization of IT infrastructure performance.
For precise data correlation, NETALERT decodes and standardizes network protocols such as NetFlow, sFlow, JFlow, and IPFIX, converting them into a unified format to facilitate efficient analysis and correlation of information.
-
NetFlow is a flow monitoring technology developed and used exclusively by Cisco Systems.
-
IPFIX is an IETF-standardized flow record format that closely resembles NetFlow v9 in both approach and structure. Often referred to as "NetFlow v10," IPFIX serves as a unifying standard, integrating various NetFlow versions and equivalents as the specification evolves.
-
sFlow is a distinct flow protocol introduced by InMon Corp., differing significantly from NetFlow. Unlike NetFlow, which captures all packets and timestamps traffic flows, sFlow employs statistical sampling techniques to record flow data, reducing the volume of information that requires processing and analysis.
-
Several vendors have developed proprietary flow record formats that align closely with the major standards, including: – J-Flow by Juniper Networks, which largely follows the NetFlow v9 structure.
-
xFlow is a generic term used to collectively describe all flow record protocols, including NetFlow, sFlow, IPFIX, J-Flow, and similar variants.
-
The solution processes these data flows to provide key statistics, such as:
- Traffic volume and bandwidth usage.
- Identification of source and destination devices.
- Detection of unauthorized transfers and cyberattacks.
Security Alert Generation and Threat Response
NETALERT uses advanced detection rules and Machine Learning algorithms to analyze data flows and generate real-time security alerts. Some of the alert scenarios include:
- Detection of DDoS attacks by analyzing traffic volume and flow frequency.
- Identification of communications with malicious infrastructures (e.g., command and control servers).
- Behavioral anomalies detected through ML-based analysis of data flows.
The received flow data, including NetFlow, IPFIX, sFlow, and jFlow, will be displayed in the traffic section using the filter:
datasourceType:"NetworkFlow/jflow/v9" //NetFlow
datasourceType:"NetworkFlow/sflow/v5"
datasourceType:"NetworkFlow/netflow/v10" //IPFIX
datasourceType:"NetworkFlow/jflow/v9" //jFlow
_OS7 Object Definition
The OS7 Object contains meta-information about the recorded and analyzed traffic. Several fields within this object highlight specific conditions identified through static analysis methods.
It is important to note that not all traffic instances will include every field described below.
The list of _OS7 Object Fields is:
| Name | Data type | Definitions |
|---|---|---|
| isExternalTraffic | bool | TRUE if one of the source or destination IP addresses does not belong to the non-routable IP addresses. Default is: FALSE. |
| isInternalTraffic | bool | TRUE if both of the source and destination IP addresses belong to the non-routable IP addresses. Default is: FALSE. |
| isInternalTransfer | bool | (isInternalTraffic is TRUE) and (isFile is TRUE). Default is: FALSE. |
| isExternalTransfer | bool | (isExternalTraffic) and (isFile is TRUE). Default is: FALSE. |
| direction | string | Possible values are "Internal to External Communication" and "External to Internal Communication", depensing on the source and destination IP addresses if they are internal or external (as previously defined using the non-routable IP addresses). Default is: field is missing. |
| s_IPClass | string | Source IP class, possible values are: "localhost", "broadcast", "any", "multicast", "Class A", "Class B", and "Class C". Default is: field is missing. |
| d_IPClass | string | Destination IP class, possible values are: "localhost", "broadcast", "any", "multicast", "Class A", "Class B", and "Class C". Default is: field is missing. |
| isDNSRequestSuccess | bool | TRUE if the packet is a DNS request successfull, FALSE if the packet is a DNS request not successfull (any DNS error). Default is: (FALSE if isDNSRequest is TRUE) and (field is missing if isDNSRequest is FALSE). |
| domainTLD | string | A Top-Level Domain (TLD) is the last part of a domain name that helps categorize websites, with options like .com |
| isDNSTunnelling | bool | TRUE if DNS request Cname is larger than usual. Default is false |
| DNS_id | string | DNS ID is a 16-bit identifier, also known as the Transaction ID or Query ID, used for Security ,Query tracking and message pairing |
| CnameSize | int | DNS Request Canonical name characters count |
| isLabelSizeAlert | bool | DNS Request label characters count avarage value is greater than usual( 40 charactes) |
| SrcOS | string | Src Operating System fingerprinting identification based on p0f - fingerprint database. If is not identified the OS fingerprint is written. If not applicable field is missing. |
| DestOS | string | Dest Operating System fingerprinting identification based on p0f - fingerprint database. If is not identified the OS fingerprint is written. If not applicable field is missing. |
| DNSRequestError | string | Field is missing if isDNSRequestSuccess is TRUE. Field contains the DNS request error message if isDNSRequestSuccess is FALSE. Default is: (field is missing) and (field is present only if isDNSRequest is TRUE and isDNSRequestSuccess is FALSE). |
| isDNSRequest | bool | TRUE if packet is DNS request. Default is: FALSE |
| isProxyTraffic | bool | TRUE if proxy protocol was identified by checking HTTP protocol and CONNECT method. Default is: FALSE. |
| proxyDestinationHost | string | IP address of proxy destination. Default is: field is missing if isProxyTraffic is FALSE. |
| proxyDestinationPort | integer | Port number of proxy destination. Default is: field is missing if isProxyTraffic is FALSE. |
| proxyedIP | string | IP address to which the proxy request was made. Default is: field is missing if isProxyTraffic is FALSE. |
| isFile | bool | True if file transfer was identified on download/upload (from header/content information, MIME type, etc.). Default is: FALSE. |
| fileType | string | Identified file type (list contains: Rar Archive, JPEG2000 image files, GZIP archive file, 7-Zip compressed file, bzip2 compressed archive, GIF file, Mozilla archive, Microsoft-MSN MARC archive, MAr compressed archive, Windows dump file, Skype localization data file, TIFF file_3, TIFF file_4, VMware BIOS state file, Microsoft cabinet file, OneNote Package, Powerpoint Packaged Presentation, MS Access Snapshot Viewer file, OLE-SPSS-Visual C++ library file, Microsoft Windows Imaging Format, Sony Compressed Voice File, Windows-DOS executable file, Acrobat plug-in, MS C++ debugging symbols file, Visual Studio .NET file, Windows Media Player playlist, VMapSource GPS Waypoint Database, PGP disk image, PKZIP archive_1, ZLock Pro encrypted ZIP, PKZIP archive_2, PKZIP archive_3, WinRAR compressed archive, WinZip compressed archive, OpenEXR bitmap image, MacOS X image file, ELF executable, PNG image, PGP secret keyring_1, PGP secret keyring_2, PGP public keyring, OS X ABI Mach-O binary (32-bit), OS X ABI Mach-O binary (64-bit), Generic JPEGimage fil, JPEG-EXIF-SPIFF images, etc.). Default is: field is missing if isFile is FALSE. |
| isUnknownFile | bool | TRUE if file type was not identified from FTP/HTTP/SMTP/MIME headers. Default is: FALSE. |
| isCryptoMining | bool | TRUE if source or destination IP addresses belong to a list of known crypto mining sites (list is provided by user). Default is: FALSE. |
| isTOR | bool | TRUE if source or destination IP addresses belong to a list of known TOR exit nodes (list is provided by user). Default is: FALSE. |
| isDynamicDNSRequest | bool | TRUE if source or destination IP addresses belong to a list of known Dynamic DNS sites (list is provided by user). Default is: FALSE. |
| isKerberos | bool | True if the Kerberos content is identified. Default is: FALSE. |
| isICMP | bool | TRUE if ICMP REQUEST. Default is: FALSE. |
| icmp_code | int | ICMP packets that provides additional information about the ICMP message.Default is: field is missing if isICMP is FALSE. |
| icmp_type | int | ICMP type identifies the general category or purpose of an ICMP message. Default is: field is missing if isICMP is FALSE. |
| icmp_id | int | ICMP Identifier a 16-bit identifier that helps match Echo Request messages with their corresponding.Default is: field is missing if isICMP is FALSE. |
| icmp_seq | int | ICMP Sequence Number is a field used in ICMP Echo Request and ICMP Echo Reply messages (ping). Default is: field is missing if isICMP is FALSE. |
| isSSL | bool | True if SSL protocol was identified. Default is: FALSE. |
| SSLversion | string | Version number of SSL protocol. Default is: field is missing if isSSL is FALSE. |
| isHeartBleedRequest | bool | Incorrect Heart Beat request from client (buffer dimension is different from requested bytes). Default is: FALSE. |
| hasHeartBleedResponse | bool | A Heart Bleed response was detected following a Heart Bleed request. Default is: FALSE. |
| clientRequestHeartbeatEnable | bool | Client sends Heart Beat request. Default is: FALSE. |
| serverAcknowledgedHeartbeatRequest | bool | Server acknowledges Heart Beat request from client. Default is: FALSE. |
| isNonStandard | int | Tristate: TRUE if communication ports do not match defaults (DNS port 53, TLS port 443, SSH port 22, SMTP port 25, Kerberos port 88, AMQP ports 5672 or 5671, HTTP ports 80, 8008, 8080 or 8088, HTTP proxy port 3128, etc.), FALSE if communication ports match defaults, field is missing if not applicable (if transfer protocol was not identified or standard port does not exist). Default is: field is missing. |
| hasSSLCertificate | bool | SSL certificate was detected. Default is: FALSE and (field is missing if isSSL is FALSE). |
| isCertificateError | bool | SSL certificate error is detected. Default is: FALSE and (field is missing if isSSL is FALSE). |
| certificateInfo | string | SSL certificate information. Default is: field is missing if isSSL is FALSE. |
| certificateErrorText | string | SSL certificate error text. Default is: field is missing if isSSL is FALSE. |
| isDHCP | bool | TRUE if DHCP protocol detected. Default is: FALSE. |
| isDHCPclient | bool | TRUE if source port is 68 and destionation port is 67. Default is: FALSE. |
| isDHCPserver | bool | TRUE if source port is 67 and destionation port is 68. Default is: FALSE. |
| DHCPXID | string | DHCP transaction ID. Default is: field is missing if isDHCP is FALSE. |
| isSMTP | bool | TRUE if SMTP transfer. Default is: FALSE. |
| ianaProtocol | string | Port string for IANA protocol (from https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.csv with port less than 1025). Default: field is missing. |
| isKnownProtocol | bool | TRUE if protocol/port pair correctly identified from IANA, and port less than 1025. Default is: FALSE. |
| isDetectedFwProtocol | bool | TRUE if Layer 7 protocol detected, from source (connection initiator) to destination. Default is: FALSE. |
| isDetectedRvProtocol | bool | TRUE if Layer 7 protocol detected, from destination to source (connection initiator). Default is: FALSE. |
| detectedFwProtocol | string | Layer 7 detected protocol name. Default: missing if isDetectedFwProtocol is FALSE. |
| detectedRvProtocol | string | Layer 7 detected protocol name. Default: missing if isDetectedRvProtocol is FALSE. |
| hostnames | string array | All hostnames extracted from DNS requests or HTTP/HTTPS/SMTP header. Field is missing if no hostname is detected. |
| application | string | Application extracted from hostnames. Field is missing if no application is detected. |
| emails | string array | All emails extracted from SMTP messages. Field is missing if no email is detected. |
| domain | string | Domain extracted from HTTP header. Field is missing if no domain is detected. |
_OS7 Object Filters
All these properties/attributes are viewable and searchable and are summarized in the following table. These properties/attributes reflect static analysis performed on traffic:
| _OS7 ID | _OS7 Name | Traffic View search query |
|---|---|---|
| a) | Internal and external connections | _OS7.isInternalTraffic:"true" OR _OS7.isExternalTraffic:"true" |
| b) | Internal and external data transfer | __OS7.isInternalTransfer:"true" OR _OS7.isExternalTransfer:"true" OR _exists_:_OS7.direction |
| c) | Active devices/connections in the internal/external network | _exists_:_OS7.s_IPClass OR _exists_:_OS7.d_IPClass |
| d) | Successful/failed DNS requests | __OS7.isDNSRequestSuccess:"true" OR _OS7.isDNSRequest:"true" OR _exists_:_OS7.DNSRequestError |
| e) | Operating system of the devices | _exists_:_OS7.SrcOS OR _exists_:_OS7.DestOS (name of the OS is identified according to the p0f definitions) |
| f) | Identification of Proxy servers | __OS7.isProxyTraffic:"true" OR _exists_:_OS7.proxyDestinationHost OR _exists_:_OS7.proxyDestinationPort OR _exists_:_OS7.proxyedIP |
| g) | Transfer of EXE/RAR files | _OS7.isFile:"true" OF _exists_:fileType |
| h) | Transfer of files with unknown format/payload | _OS7.isUnknownFile:"true" |
| i) | Cryptocurrency mining activity | _OS7.isCryptoMining:"true" |
| j) | Specific applications for Advanced Persistent Threat (APT) attacks | Not available (available as an alert, see Alerts item j) APT) |
| k) | Communications with the TOR network | _OS7.isTOR:"true" |
| l) | DynDNS (Dynamic DNS) DNS requests | _OS7.isDynamicDNSRequest:"true" |
| m) | Scanning network addresses | Not available (available as alerts, see Alerts items m) AddressScan and q) KerberosAnomaly) |
| n) | Abnormal behavior/abnormal activity/suspicious connections | Not available (available as an alert, see Alerts item n) DeviceAbnormalBehaviour) |
| o) | Anomalies in DNS server traffic | _OS7.isDNSRequest |
| p) | Excessive loss of connections or packets | Not available (available as a traffic filter, see filter the traffic the examples called Filter by connetions that timedout out at the beginning of flow, Filter by connetions that timedout out during data transfer and Filter by connections which are loosing packets) |
| q) | Kerberos authentications | _OS7.isKerberos |
| r) | Methods used by malware applications for lateral movement | Not available (available as an alert, see Alerts item r) LateralMovement) |
| s) | Brute-force attacks | __OS7.isBruteForce:"true" OR _exists_:_OS7.username |
| t) | Heartbleed attacks | _OS7.protocol OR _OS7.SSLVersion OR _OS7.isHeartBleedRequest:"true" OR _OS7.hasHeartBleedResponse:"true" OR _OS7.clientRequestheartbeatEnable:"true" OR _OS7.serverAcknowledgedHeartbeatRequest:"true" |
| u) | Port scanning | Not available (available as an alert, see Alerts item u) PortScan) |
| v) | Connecting to non-standard ports or compromising a legitimate port/port hijacking | __OS7.isNonStandard:"1" OR _OS7.isKnownProtocol"true" OR _exists_:_OS7.IANAProtocol OR _exists_:_OS7.isDetectedFwProtocol OR _exists_:_OS7.isDetectedRvProtocol |
| w) | SMTP traffic monitoring | __OS7.isSMTP OR _exists_:_OS7.emails OR _OS7.emails:"[" [email protected] "," [email protected] "]" |
| x) | Invalid SSL certificates | __OS7.hasSSLCertificate:"true" OR _OS7.isCertificateError:"true" OR _exists_:_OS7.certificateInfo OR _exists_:_OS7.certificateErrorText |
_flow Object
Packets that are part of the same data flow, consisting of sequential requests and responses, are assigned the same Flow GUID. Rather than retaining every packet along with its complete data and metadata, only the essential characteristics of the flow are recorded, highlighting key attributes and statistical details of the packet transfered.
TCP flows attributes are detailed in the next table:
| Attribute | Data type | Description |
|---|---|---|
| srcip | string | Source IP address |
| sport | integer | Source port number |
| dstip | string | Destination IP address |
| dsport | integer | Destination port number |
| proto | string | Transaction protocol |
| state | string | Indicates to the state and its dependent protocol, e.g. ACC, CLO, CON, ECO, ECR, FIN, INT, MAS, PAR, REQ, RST, TST, TXD, URH, URN |
| flow_start_time | timestamp | Flow start timestamp |
| flow_end_time | timestamp | Flow end timestamp |
| dur | float | Record total duration |
| sbytes | integer | Source to destination transaction bytes |
| dbytes | integer | Destination to source transaction bytes |
| spayload | integer | Source to destination payload bytes |
| dpayload | integer | Destination to source payload bytes |
| sttl | integer | Source to destination time to live value |
| dttl | integer | Destination to source time to live value |
| sloss | integer | Source packets retransmitted or dropped |
| dloss | integer | Destination packets retransmitted or dropped |
| service | string | http, ftp, smtp, ssh, dns, ftp-data, irc and (-) if not much used service |
| Sload | float | Source bits per second |
| Dload | float | Destination bits per second |
| Spkts | integer | Source to destination packet count |
| Dpkts | integer | Destination to source packet count |
| swin | integer | Source TCP window advertisement value |
| dwin | integer | Destination TCP window advertisement value |
| stcpb | integer | Source TCP base sequence number |
| dtcpb | integer | Destination TCP base sequence number |
| smeansz | float | Mean of the flow packet size transmitted by the src |
| dmeansz | float | Mean of the flow packet size transmitted by the dst |
| Sjit | float | Source jitter (mSec) |
| Djit | float | Destination jitter (mSec) |
| Sintpkt | float | Source interpacket arrival time (mSec) |
| Dintpkt | float | Destination interpacket arrival time (mSec) |
| tcprtt | float | TCP connection setup round-trip time, the sum of synack and ackdat |
| synack | float | TCP connection setup time, the time between the SYN and the SYN_ACK packets |
| ackdat | float | TCP connection setup time, the time between the SYN_ACK and the ACK packets |
| fin_cnt | integer | Number of packets with FIN |
| syn_cnt | integer | Number of packets with SYN |
| rst_cnt | integer | Number of packets with RST |
| pst_cnt | integer | Number of packets with PUSH |
| ack_cnt | integer | Number of packets with ACK |
| urg_cnt | integer | Number of packets with URG |
| cwr_cnt | integer | Number of packets with CWR |
| ece_cnt | integer | Number of packets with ECE |
| fw_pkt_l_max | integer | Maximum size of packet in forward direction |
| fw_pkt_l_min | integer | Minimum size of packet in forward direction |
| Bw_pkt_l_max | integer | Maximum size of packet in backward direction |
| Bw_pkt_l_min | integer | Minimum size of packet in backward direction |
UDP flows attributes are detailed in the next table:
| Attribute | Data type | Description |
|---|---|---|
| srcip | string | Source IP address |
| sport | integer | Source port number |
| dstip | string | Destination IP address |
| dsport | integer | Destination port number |
| proto | string | Transaction protocol |
| state | string | Indicates to the state and its dependent protocol, e.g. ACC, CLO, CON, ECO, ECR, FIN, INT, MAS, PAR, REQ, RST, TST, TXD, URH, URN |
| flow_start_time | timestamp | Flow start timestamp |
| flow_end_time | timestamp | Flow end timestamp |
| dur | float | Record total duration |
| sbytes | integer | Source to destination transaction bytes |
| dbytes | integer | Destination to source transaction bytes |
| spayload | integer | Source to destination payload bytes |
| dpayload | integer | Destination to source payload bytes |
| sttl | integer | Source to destination time to live value |
| dttl | integer | Destination to source time to live value |
| sloss | integer | Source packets retransmitted or dropped |
| dloss | integer | Destination packets retransmitted or dropped |
| service | string | http, ftp, smtp, ssh, dns, ftp-data, irc and (-) if not much used service |
| Spkts | integer | Source to destination packet count |
| Dpkts | integer | Destination to source packet count |
Search and filter section
The Search and Filter section provides advanced control over the information displayed in the alerts list. It allows users to apply granular filters, define specific criteria, and combine multiple conditions to customize search results. Additionally, users can specify a date and time range to narrow down the alerts, ensuring precise and efficient data analysis.
- The Search Field allows users to filter displayed information using free-text input. If no input is provided, all traffic data will be shown.
- The Start Date and End Date fields allow you to quickly increase or decrease time interval.
- In the top corner, additional filtering options are available, allowing users to refine data (descendent and ascendent) based on UTC Time (UTC_ISO8601 DESC and UTC_ISO8601 ASC)
- The Quick Filter option allows for easy adjustment of the time interval with preset options like Last 6 Hours or Last Day.
- In the top right corner of the interface, users can apply filters to refine the displayed traffic data. The available filtering options include:
- All Traffic – Displays all recorded network traffic without any restrictions.
- Internal Traffic – Shows only traffic occurring within the internal network.
- External to Internal Traffic – F Filters traffic coming from external sources and entering the internal network.
- Open Connections – Displays active connections that have not yet been closed.
- The Fields dropdown list provides users with an advanced selection of filtering criteria, allowing them to choose specific alert attributes to customize their searches.
The available filters offer a fast and efficient method for traffic analysis. Selecting specific criteria allows for a focused view on relevant data, exclusion of unnecessary information, visualization the filtered data, and security actions like blocking suspicious IPs.
-
Add – Adds a specific parameter to the filtered traffic view.
-
Exclude – Removes a specific parameter from the displayed traffic data.
-
Show Chart – Displays a graphical representation of the filtered traffic.
-
Exists – Filters traffic to show entries where a specific parameter is present.
-
NOT Exists – Filters traffic to exclude entries where a specific parameter is missing.
-
Block IP – Adds the selected IP to the Active Blocked IPs list, restricting its traffic.
By default, traffic data is sorted in reverse chronological order, displaying the most recent entries first.
- By pressing the
button, located on the right-hand side of the Traffic interface, expands the event details, providing more in-depth insights into the recorded traffic data. This includes additional metadata, packet information, and flow attributes that help in analyzing network activity. Users can leverage this functionality to investigate anomalies, review specific traffic patterns, and gain a more comprehensive understanding of individual events.
To filter data based on a specific field, select Add to include it in the filter, Exclude to remove it from the results, Exists to display only records where the field is present, NOT Exists to show records where the field is missing, or Show Charts to visualize the filtered data.
The applied filter conditions will be displayed in the Search bar, allowing for further modifications or precise adjustments as needed.
The VLANS field allows grouping between the InterfaceName and a VLAN name. One or more interfaces can be defined within the same NETALERT application (comma separated for e.g., InterfaceName=eno3,eno4) to collect data from different locations. Each interface can be assigned a custom VLAN's name using the VLANS field (e.g.,VLANS=eno3:VlanID1,eno4:VlanID2) .This information is visible in the traffic events under the VlanID field.
Location – Represents the assigned location for captured data or events, helping to organize and identify data sources within the NETALERT application.
Exporting traffic data
-
To export traffic data in PCAP format, click the
button, located on the left side of the interface. This action will generate a packet capture (PCAP) file containing the recorded network traffic, allowing for further analysis using packet inspection tools like Wireshark. -
To export traffic data in JSON format, click the
button, located on the left side of the interface. This action produces a structured JSON file that includes recorded traffic details while retaining all relevant attributes and metadata. The JSON format is commonly used for data analysis, seamless integration with third-party tools, and automated processing in security and network monitoring systems.
For a detailed overview of the application's traffic search capabilities, please refer to the following link: Traffic Overview.
How to Work with Traffic Fields
The queries listed in the Traffic View search query column serve as filtering parameters for traffic data. These queries enable users to refine search results and focus on specific network events. Below, we provide practical examples demonstrating how to apply these properties to Filter the Traffic effectively.