Configure packet capture
Packet capture enables you to collect, store, and retrieve data packets from your network traffic. You can download a packet capture file for analysis in a third-party tool, such as Wireshark. Packets can be inspected to diagnose and resolve network problems and to verify that security policies are being followed.
By adding a packet capture disk to the Discover appliance, you can store the raw payload data sent to your ExtraHop system. This disk can be added to your virtual appliance or an SSD that is installed in your physical appliance.
These instructions only apply to ExtraHop systems that have a precision packet capture disk. To store packets on an ExtraHop Trace appliance, see deployment guides.
Enable packet capture
Your ExtraHop system must be licensed for packet capture and be configured with a dedicated SSD storage disk for a physical appliance or a disk configured on your hypervisor for a virtual appliance.
Before you begin
- Verify that your ExtraHop system is licensed for Packet Capture by logging in to the Administration settings and clicking License. Packet Capture is listed under Features and Enabled should appear.
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the Appliance Settings section, click Disks.
-
Depending on your appliance type and menu options, configure the following
settings.
- For physical appliances click Enable next to SSD Assisted Packet Capture, and then click OK.
- For virtual appliances, verify that running appears in the Status column and that the disk size you configured for packet capture appears in the Size column. Click Enable next to Triggered Packet Capture, and then click OK.
Next steps
Your packet capture disk is now enabled and ready to store packets. Click Configure if you want to encrypt the disk, or configure global or precision packet captures.Encrypt the packet capture disk
Packet capture disks can be secured with 256-bit AES encryption.
- You cannot decrypt a packet capture disk after it is encrypted. You can clear the encryption, but the disk is formatted, and all data is deleted.
- You can lock an encrypted disk to prevent any read or write access to stored packet capture files. If the ExtraHop system is restarted, encrypted disks are automatically locked and remain locked until they are unlocked with the passphrase. Unencrypted disks cannot be locked.
- You can reformat an encrypted disk, but all data is permanently deleted. You can reformat a locked disk without unlocking the disk first.
- You can perform a secure delete (or system wipe) of all system data. For instructions, see the ExtraHop Rescue Media Guide.
- In the Appliance Settings section, click Disks.
-
On the Disks page, select one of the following options based on your appliance
type.
- For virtual appliances, click Configure next to Triggered Packet Capture.
- For physical devices, click Configure next to SSD Assisted Packet Capture.
- Click Encrypt Disk.
-
Specify a disk encryption key from one of the following options:
- Type a passphrase into the Passphrase and Confirm fields.
- Click Choose File and select an encryption key file.
- Click Encrypt.
Next steps
You can change the disk encryption key by returning to the Disks page and clicking Configure and then Change Disk Encryption Key.Format the packet capture disk
You can format an encrypted packet capture disk to permanently remove all packet captures. Formatting an encrypted disk removes the encryption. If you want to format an unencrypted packet capture disk, you must remove the disk, and then enable the disk again.
Warning: | This action cannot be reversed. |
- In the Appliance Settings section, click Disks.
-
On the Disks page, choose one of the following options based on your appliance
platform.
- For virtual appliances, click Configure next to Triggered Packet Capture.
- For physical devices, click Configure next to SSD Assisted Packet Capture.
- Click Clear Disk Encryption.
- Click Format.
Remove the packet capture disk
If you want to replace a packet capture disk, you must first remove the disk from the system. When a packet capture disk is removed from the system, all of the data on the disk is permanently deleted.
- In the Appliance Settings section, click Disks.
-
On the Disks page, choose one of the following options based on your appliance
platform.
- For virtual appliances, click Configure next to Triggered Packet Capture.
- For physical devices, click Configure next to SSD Assisted Packet Capture.
- Click Remove Disk.
-
Select one of the following format options:
- Quick Format
- Secure Erase
- Click Remove.
Configure a global packet capture
A global packet capture collects every packet that is sent to the ExtraHop system for the duration that matches the criteria.
- On Reveal(x) Enterprise systems, click Packets from the
top menu and then click Download PCAP.
To help locate your packet capture, click and drag on the Packet Query timeline to select the time range when you started the packet capture.
- On ExtraHop Performance systems, click the System Settings icon , click All Administration, and then click View and Download Packet Captures in the Packet Capture section.
Configure a precision packet capture
Precision packet captures require ExtraHop Triggers, which enable you to capture only the packets that meet your specifications. Triggers are highly customizable user-defined code that run upon defined system events.
Before you begin
Packet capture must be licensed and enabled on your ExtraHop system.- Trigger concepts
- Build a trigger
- Trigger API Reference
- Walkthough: Initiate precision packet captures to analyze zero window conditions
In the following example, the trigger captures an HTTP flow with the name HTTP host <hostname> and stops the capture after a maximum of 10 packets are collected.
Next steps
Download the packet capture file.- On Reveal(x) Enterprise systems, click Records from the top menu. Select Packet Capture from the Record Type drop-down list. After the records associated with your packet capture appear, click the Packets icon , and then click Download PCAP.
- On ExtraHop Performance systems, click the System Settings icon , click All Administration, and then click View and Download Packet Captures in the Packet Capture section.
View and download packet captures
If you have packet captures stored on a virtual disk or on an SSD disk in your Discover appliance, you can manage those files from the View Packet Captures page in the Administration settings. For Reveal(x) systems and on Trace appliances, view the Packets page.
The View and Download Packet Captures section only appears on ExtraHop Performance systems. On Reveal(x) systems, precision packet capture files are found by searching Records for the packet capture record type.
- Click Configure packet capture settings to automatically delete stored packet captures after the specified duration (in minutes).
- View statistics about your packet capture disk.
- Specify criteria to filter packet captures and limit the number of files displayed in the Packet Capture List.
- Select a file from the Packet Capture list and then download or delete the file.
Note: You cannot delete individual packet capture files from Reveal(x) systems.
Thank you for your feedback. Can we contact you to ask follow up questions?