Searching packets within a time range for diagnostic testing

Index data that is created at the time of capture is used to produce a packet capture (pcap) file that contains the packets that match the specified time range and packet metadata information.

Restriction: These searches are for diagnostics purposes only. Manual cleanup is required to avoid filling the extraction partition.

Procedure

  1. In the QRadar® Packet Capture menu bar, click Search to open the Search Request window.
  2. Click New to create a search.
  3. In the Select nodes section, select the interface for the captured traffic that you want to search.

    If you have a single interface configuration, it is automatically selected.

    If no group is selected, the search request automatically goes to all groups and nodes in the cluster.

  4. In the SearchName field, type a name for the search.
  5. Specify the begin time and the end time for the search criteria.

    The begin time is auto-populated to be 4 minutes prior to the current UTC time, and the end time is the current UTC time. You can edit both fields.

  6. In the Search Filter field, specify the search filter as either BPF, log text, or both.
    • To specify a BPF filter, type bpf followed by a valid BPF packet filter.
    • To specify a text filter, type text followed by the text search string.
    • If a search string has both BPF and text strings, you must specify the BPF filter first.
    • If the filter is not specified as either a BPF or text string, the system assumes it is a BPF filter.
    The following examples are valid search strings:
    bpf port 80 text hello
    ip host 192.168.0.1
    tcp or udp text hello
    port 80 text hello
    text hello
    The following examples are invalid search strings:
    Hello
    text hello port 80
    bpf hello

    For more information about building BPF filter expressions, see Berkeley packet filters.

  7. In the MaxPacketCount field, specify the number of packets to extract.

    The default maximum number of packets to extract is 10,000. If you change the number to 0, all packets that match the timeline and filter are extracted.

  8. Click Create Search to start the search.

Completed searches

This tab shows all the completed and canceled searches.

  1. Click on the name of the search to open the stream view for in-depth analysis.
  2. To delete an individual search, click the delete icon next to the search name.
  3. To delete all searches, click the Delete All Searches button.
    This deletes all searches across all nodes of all selected groups. This action is not reversible.

In progress searches

  1. To cancel a search in progress, click on the X beside the search.

    The search is stopped. You can delete it on the Completed tab.

  2. In the Action column of the search page, use the Chunking option to split search requests into smaller data segments so that you can access data while the entire search request is still running. You request a search by first specifying the PCAP file number, and then clicking Download PCAP File.

    Data segments are 128MB, and the last data segment can be any size smaller than 128MB.

  3. To see the state of the search queue, view the Search request queue.
  4. To see a history of all completed searches, view the Request log.
  5. Clean up manual searches to ensure sufficient space for forensics recovery processes:
    1. Log in as root.

      username: root

      password: P@ck3t08..

    2. Run the following command:

      rm -r /extraction/<name_of_search>

      The <name_of_search> variable is the name column on the Completed Searches page.