Documentation Center
AlienVault® USM Appliance™

Capture and Examine Packets

Applies to Product: USM Appliance™ AlienVault OSSIM®

AlienVault USM Appliance integrated packet capture functionality allows you to capture traffic on your network for offline analysis and forensics, using the USM Appliance web UI.

Note: You can also perform traffic captures through the system shell, for example, using TcpDump or Tshark.

To capture a packet

  1. Go to Environment >Traffic Capture.
  2. Traffic capture home page

  3. Select how long, in seconds, the capture should operate, using the Timeout filter.

    Timeouts are 10, 20, 30, 60, 90, 120, and 180 seconds.

  4. Select the number of packets to capture by sliding the Cap Size bar.

    Numbers range from 100 to 8000.

  5. Type the name for a raw filter in the Raw Filter field; for example, 80 (the web server port).
  6. Select the sensor and the interface from which to capture packets by expanding the Sensor list.
  7. Select the IP addresses for the source and destination of the traffic you want to capture by expanding their respective All Assets trees, below the Source and Destination fields.

    When you select the host IPs, Source and Destination is populated.

  8. Click Launch Capture.

    The system informs you that it is starting the capture.

    When USM Appliance has captured the packets, it displays a Traffic Capture results page that reports the capture start time, the duration, the user, and the action you want to take with the capture (Delete, Download, View Payload).

    After you complete the packet captures, you can examine them in the integrated GUI of Tshark, which displays in a separate browser window. You can also download the capture as a PCAP file and examine it, using any external packet capture tool, such as Wireshark.