Like the \drop folder, there is a \drop_pcap folder (c:\drop_pcap). There may also be a sub-folder in the drop_pcap folder.
To test an HTTP incident the process is the following:
1. Create a test policy.
NOTE: For purposes of this test, you may want to create an "e" policy using "e" (without quotes) as your keyword. Just remember to uncheck the "on whole words" box before saving the rule.
2. Check that your policy has downloaded to the Network Monitor:
a. Click on Administration (bottom box, left hand column)-> System -> Overview
b. Click on the server name that is doing the monitoring (for example: PimaMonitor)
c. Look at the "All Recent Events" box (right main window, right lower box area)
and look for "Loaded policy..."
2. Create the necessary http traffic to cause an incident.
3. Verify an incident is created.
4. From the Enforce UI stop the File Reader on the network monitor.
5. Create the necessary HTTP traffic again.
6. Wait for a file of type .vpcap to appear in the drop_pcap folder or sub-folder.
7. Copy the new file to a safe place.
8. From the Enforce UI start the File Reader on the network monitor
9. Verify a new incident is created.
The copied .vpcap can be used to create new incidents without having to create the HTTP traffic. Copy the file and then paste it into the \drop_pcap file.
NOTE: In Windows the .vpcap file can not be dragged and dropped into the \drop_pcap folder. Windows does not see this as creating a new file and the File Reader will not see the file and will not create a new incident.