search cancel

Is there a way to manually delete an imported PCAP?


Article ID: 174862


Updated On:


Security Analytics


7.x and confirmed through 8.0.3.


Unfortunately there is not a way to delete imported PCAPS (even via CLI) until the data is overwritten.  Regardless of the timestamps of the PCAP packets themselves, the data is considered captured at the time of import and however long it takes to overwrite their data, it will stick around.  The only way to get rid of it is to wipe all data.  For example, if your slot chain window is May 5 – 10 and you import a PCAP on May 7th, regardless of the timestamps in the PCAP, it will get overwritten at the same time the other May 7th data gets overwritten. 

Future versions may have the option for Selective PCAP deletion, but this has not yet been released, as of 8.0.3.