Adding packet capture devices to QRadar Incident Forensics hosts
Packet capture devices process captured packet data for forensics recoveries. You can connect packet capture devices to an IBM® QRadar® Incident Forensics managed host or IBM QRadar Incident Forensics Standalone host.
If no packet capture device is attached, you can manually upload the packet capture files in the user interface or by using FTP.
Before you begin
- For distributed installations, install the QRadar Console on one appliance and QRadar Incident Forensics Processor on another appliance.
- For stand-alone deployments, install only the QRadar Incident Forensics Standalone component.
For more information, see Installing QRadar Incident Forensics.
Log in to QRadar
Console as an
The default user name is admin. The password is the password of the root user account that was entered during the QRadar installation.
- On the navigation menu ( ), click Admin.
- In the System Configuration pane, click System and License Management.
From the host table, select the QRadar Incident Forensics appliance.
In a distributed deployment, the QRadar Incident Forensics Processor has Appliance Type 6000.
In a stand-alone deployment, the QRadar Incident Forensics Standalone host has Appliance Type 6100.
- Click .
- Click Component Management.
To add packet capture devices, click the add icon (+) and enter the information about the
For stacked configurations in QRadar Network Packet Capture, add only the Stack Controller. Don't add the IP addresses for each Stack Node.
- Click Save.
To deploy changes from the current session, go to the Admin tab, and
Alternatively, you can deploy all configuration changes that were made since the last deployment.
Go to the Admin tab, and select .