Exporting documents as pcap files

You can export documents as pcap files from multiple IBM® QRadar® Incident Forensics and IBM QRadar Network Packet Capture appliances.

Restriction: The content that you export to pcap format is not reconstructed.

Procedure

  1. To export data from selected documents, in the recovery grid on the Forensics tab, select the check boxes next to the documents, and then click Export.

    You can select a maximum of 25 documents to export to pcap format.

  2. From the Select Export Type list, click PCAP.
  3. After all of the documents for a QRadar Incident Forensics host are exported, you can click Download.
  4. If the export of a document fails, export the document again by clicking the FAIL message.

Results

If you export a single pcap file, the pcap file is downloaded. If you export more than one pcap file, then the pcap files are assembled into a compressed file (.zip) and the compressed file is downloaded.

Each document stores the IP address of the QRadar Incident Forensics host and the IP address of the QRadar Network Packet Capture device that the document originally came from. If you remove a QRadar Incident Forensics host or move a QRadar Network Packet Capture appliance, you might not be able to do an export.