Is it possible to replay an imported Packet Capture with Security Analytics ?

book

Article ID: 168794

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

Resolution

The ability to replay an imported PCAP can be done from the command line:

1. Create a mapping: dscapture --map ifm0 impt0 (confirm mapping with dscapture --mapshow)  You should see something like this:

ifm0    ->     impt0

2. Create the timespan for playback.  This timespan must match the timespan from the segment of imported traffic you wish to regenerate.  By default all PCAP imports use impt0.  Specifying the timespan is the only way to guarantee you are playing back (or regenerating) the desired window of traffic:

dscapture --settime ifm0 MM.DD.YYYY.HH.MM.SS MM.DD.YYYY.HH.MM.SS (you must enter time in UTC, not local timezone.  If you don't specify an end date and time, the regen session will playback ALL traffic it sees on impt0 beginning with the start date and time specified.)

3. Start the playback: dsregen start ifm0 ethX (where ethX is the outbound interface)

4. To stop the playback session: dsregen stop ifm0 ethX

5. The above assumes that the timeframe specified only contains one import. If there are multiple imports within one timespan, the import_id must be specified.