Forensics recovery

To retrieve raw packet capture data from packet capture devices, run a forensics recovery job on one or more IP addresses or ports.

Running a recovery on an IP address or port

Run a forensics recovery to retrieve the raw capture data from the capture device. You can run a recovery on multiple IP addresses or ports. If you don't enter an IP address or port, all TCP and UDP traffic is recovered. If you enter multiple IP addresses or ports, you must use a comma to separate them.

Run a forensics recovery by right clicking on an IP address or port in QRadar®, or by selecting the Run recovery icon Run Forensics Recovery. on the Forensics tab.

Restriction: As a rule, you can enter about 7 IPv4 addresses and 7 ports or a maximum of 255 characters at one time. The IP Address and Port fields are combined with other phrases to create a filter string. The filter string can't be more than 255 characters

Re-run recovery

On the Forensics tab, use the re-run recovery option on the results grid to run a previously created recovery. For example, if the results return incomplete data, you re-run a forensics recovery to include different IP addresses, or to change the time frame specified in the previous run recovery job.

To re-run the previous forensics recovery job, click Re-run this forensics recovery. When you re-run a recovery job, the Forensics Recovery page contains previously run values. You can run an identical recovery again, or change the automatically generated values.

You can only re-run a recovery when the job is finished; has a status of completed, canceled or failed.