ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

PCAP download is empty or 0 bytes in size


Article ID: 222039


Updated On:


Security Analytics Security Analytics - VA


Security analytics allows you to download raw PCAP files from traffic captured on the system.  On occasion, the PCAP file that is downloaded may be empty or may be 0 bytes in size.


This can be caused by several different issues.

  • The timespan selected doesn't contain any pcap data
  • The filter specified is to narrow and doesn't meet the criteria of any packets
  • An error was triggered 
  • You are attempting to download the pcap during a log rotation, which may kill the http session (usually indicative of attempting to download again and succeeding)
    • This bug is alleviated in SA version 8.2.4 or greater

If you do encounter a 0-byte pcap file, take a look at the /var/log/messages file and look for any errors that would indicate why the file is empty and be ready to share those results with technical support.