Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Client Host for Deep Discover Inspector (DDI) Packet Capture

    • Updated:
    • 17 Sep 2019
    • Product/Version:
    • Deep Discovery Inspector 5.0
    • Deep Discovery Inspector 5.1
    • Deep Discovery Inspector 5.5
    • Platform:
    • N/A N/A
Summary

From Deep Discover Inspector (DDI) version 5.0, the packet capture feature is available to help customers collect malicious traffic information associated with certain hosts and/or detection rules. It also allows investigators to look for clues and connections during and around the time of attack.

This article provides a quick introduction about packet capture and what IP should be configured for client host.

Details
Public

If you are interested in some DDI detections, and keen to collect corresponded network traffics, packet capture is a great feature that you can use.

To enable the packet capture, go to Administration > Monitoring / Scanning > Packet Capture  then tick the Enable packet capture checkbox.

 
Note that enabling the packet capture feature needs a reboot. It may also impact system performance and stability if misconfigured.
 

Enable Packet Capture

After enabling the packet capture, adding or modifying the existing packet capture rule is needed, and Client Host and Detection Criteria are two important fields.

Currently, the rules of packet capture only takes effect to IP which is indicated as real "Client", indicating that client initiate the story or transaction.

To check "Client" information from detection:

  • From exported detection file (CSV format), we could see there is a column named "Client Flag".

    • If the Client Flag's value is "1", then the Source IP is the client
    • If Client Flag's value is "2", then the Destination IP is the client

    That is, if the Client Flag's value is 1, configure the Source IP or IP range that covers the Source IP in the Client Host field.

    Client Flag

  • Another quick way to check the "Client" is via DDI Detection Details web page.

    From the Detection Details page, the user will find a blue point in the connection summary section.

    The IP address labeled with blue color is the "Client" that you should configure in Client Host field.

    DDI Detection Details page

As for the detection criteria, it is recommended to specify more details to narrow down the scope when configuring packet capture rule, also reducing the potential performance impact.

For example, adding a specific DDI detection rule ID or description, and only performing packet capture when the detection severity is over than a certain level is suggested.

Detection Criteria

Once the network traffic matches the packet capture rule, DDI will prepare and offer the pcap file.

A security analyst may download the pcap file via the web console directly as shown in the following image.

 
Note that the downloaded PCAP file may potentially harm your computer, please unzip it on a computer in DMZ or isolated environment (password: “virus”).
 

Download PCAP file

To do further investigation, the security analyst may open the unzipped pcap file with other tools, for example, wireshark, to browse the pcap content and find the detected packet via the"pkt_comment" filter.

pkt_comment filter

If the security analyst would like to search all detections which have PCAP files, using the Advanced Filter via the detection search page is recommended.

Advanced Filter

Premium
Internal
Rating:
Category:
Configure
Solution Id:
1123836
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.