Currently, the rules of packet capture only takes effect to IP which is indicated as real "Client", indicating that client initiate the story or transaction.

To check "Client" information from detection:

• From exported detection file (CSV format), we could see there is a column named "Client Flag".

  • If the Client Flag's value is "1", then the Source IP is the client
  • If Client Flag's value is "2", then the Destination IP is the client

  That is, if the Client Flag's value is 1, configure the Source IP or IP range that covers the Source IP in the Client Host field.

  

• Another quick way to check the "Client" is via DDI Detection Details web page.

  From the Detection Details page, the user will find a blue point in the connection summary section.

  The IP address labeled with blue color is the "Client" that you should configure in Client Host field.

  

As for the detection criteria, it is recommended to specify more details to narrow down the scope when configuring packet capture rule, also reducing the potential performance impact.

For example, adding a specific DDI detection rule ID or description, and only performing packet capture when the detection severity is over than a certain level is suggested.

Once the network traffic matches the packet capture rule, DDI will prepare and offer the pcap file.

A security analyst may download the pcap file via the web console directly as shown in the following image.

To do further investigation, the security analyst may open the unzipped pcap file with other tools, for example, wireshark, to browse the pcap content and find the detected packet via the"pkt_comment" filter.

If the security analyst would like to search all detections which have PCAP files, using the Advanced Filter via the detection search page is recommended.