What's new in QRadar Network Packet Capture 7.3.2

With QRadar® Network Packet Capture 7.3.2 you can run simultaneous searches. Other features include improvements to packet capture, search, and retention settings.

Parallel searching

You can use the parallel search feature to query the PCAP repository with up to five simultaneous searches. This includes remote and local searches.

Previously, queries were executed one by one using a queuing system. Queries could be held up for many minutes behind a long-running, complex search. Now you can run your searches in parallel.

Streaming bandwidth is shared between running searches. This means that for simple searches that retrieve many results, the bandwidth is shared and might still take some time to complete. However, for indexed searches (that is, when searching for and retrieving very specific data), the search performance is not adversely affected.

QRadar Network Packet Capture traffic capture settings

Packet capture settings are retained after a restart

Previously, packet capture needed to be restarted manually, but now you can configure this using the API, or check the Remember state check box on the Admin tab.

Incoming and captured traffic display

The Traffic widget on the Dashboard tab has been enhanced so that you can now monitor incoming or captured traffic.

Previously, only a combination of this data was available. The new feature is useful because the bit rate for incoming traffic can vary significantly from captured traffic.

GeneralQRadar Network Packet Capture improvements

The following features are available:

Search history is now available after a reboot.
Predictive retention time display has been added in the Group List View widget on the Dashboard tab. This feature provides the predicted retention time based on the current capture rate, which helps you to estimate how much data you can keep based on the current volume.