Packet Captures

OT Security stores files containing network packet captures of activities in the network. The data is stored as PCAP (packet capture) files, which can be analyzed using Network Protocol Analysis tools, such as Wireshark. This enables in-depth forensic analysis of critical events. When the storage capacity of the system exceeds 1.8 TB, the system deletes older files.

The Packet Captures page displays all the PCAP files in the system. The Completed section lists all completed files that are available for download. The Ongoing section shows details about the packet capture that is currently in progress.

The header bar shows the oldest captured file that is still available. It also includes an option to download files and to manually close the current Packet Capture.

Note: Read only and Site Operator roles do not have permission to stop ongoing captures or download saved packet captures.

In packet captures table, you can show or hide columns, sort, and filter the lists as well as search for keywords. For more information about customizing tables, see Customize Tables.

Note: You can also download the PCAP file for an individual event from the Events page, see Download Files.

Packet Capture Parameters

The Packet Capture list shows the following details:

ParameterDescription
Start TimeThe date and time when the Packet Capture began.
End TimeThe date and time when the Packet Capture ended.
StatusThe status of the capture: Completed or Ongoing.
SensorThe OT Security Sensor that captured the packet. For packets captured directly by the OT Security appliance, the value appears as local.
File NameThe name of the file.
File SizeThe size of the file, given in KB/MB.

Filter Packet Capture Display

You can filter the Packet Captures display to find a specific PCAP by providing the parameters for the start time and/or the end time.

To filter Packet Captures:

  1. Go to Network> Packet Captures.

  2. To filter by the start time, hover over Start time and click the icon.

    A drop-down menu appears.

    1. To set the filter:

      1. From the drop-down menu, select the required filter: Anytime (default), Started before, or Started after.

      2. If you select Started before or Started after, a window appears with the Date and Time boxes allowing you to choose the date and time.

      3. Click Apply.

  3. To filter by End time, hover over End time and click the icon.

    A drop-down menu appears.

    1. To set the filter:

      1. Select required filter: Anytime (default), Ended before, or Ended after.

      2. If you select Ended before or Ended after, a window appears with the Date and Time boxes allowing you to choose the date and time.

      3. Click Apply.

        OT Security applies the filter and displays only the files generated within the specified timeframe.

Activate or Deactivate Packet Captures

You can activate or deactivate the Packet Capture feature from the Local Settings > System Configuration > Device .

If the Packet Capture feature is turned off, then the Packet Captures screen shows a message informing you that it is turned off.

Important: You can activate but not deactivate the Packet Capture feature from Network > Packet Capture.

To activate Packet Capture:

  1. Go to Network> Packet Captures.

  2. In the Header bar, click Turn on.

    OT Security starts Packet Capture.

Download Files

You can download any of the Completed PCAP files to your local machine. You can then analyze using Network Protocol Analysis tools such as Wireshark.

File captures that are still ongoing are not yet available for download. You can manually close an ongoing capture to close the current file and begin capturing information on a new file.

To download a completed file:

  1. Go to NetworkPacket Captures.

  2. Select the required file from the Packet Capture lists.

  3. In the Header bar, click Download.

    OT Security downloads the PCAP file in a zip format to your local machine.

To manually close the current Packet Capture:

  1. Go to Network >Packet Captures.

  2. In the Header bar, click Close ongoing captures.

    OT Security stops the current capture and the file becomes available for download. OT Security automatically starts a new Packet Capture.