Packet capture devices process captured packet data for forensics recoveries. You can
connect packet capture devices to an IBM®
QRadar® Incident Forensics managed host or
IBM
QRadar Incident Forensics Standalone host.
If no packet capture device is attached, you can manually upload the packet capture files in the
user interface or by using FTP.
Before you begin
You must have
QRadar Incident
Forensics installed.
- For distributed installations, install the QRadar
Console on one appliance and QRadar Incident Forensics
Processor on another appliance.
- For stand-alone deployments, install only the QRadar Incident Forensics
Standalone component.
For more information, see Installing QRadar Incident Forensics.
Procedure
-
Log in to QRadar
Console as an
administrator:
https://IP_Address_QRadar
The default user name is admin. The password is the password of the root user
account that was entered during the QRadar installation.
-
On the
navigation menu (
), click
Admin.
-
In the System Configuration pane, click System and License
Management.
-
From the host table, select the QRadar Incident Forensics appliance.
In a distributed deployment, the QRadar Incident Forensics
Processor has Appliance
Type 6000.
In a stand-alone deployment, the QRadar Incident Forensics
Standalone host has
Appliance Type 6100.
- Click .
-
Click Component Management.
-
To add packet capture devices, click the add icon (+) and enter the information about the
device.
For stacked configurations in QRadar Network Packet
Capture, add only the
Stack Controller. Don't add the IP addresses for each Stack Node.
-
Click Save.
-
To deploy changes from the current session, go to the Admin tab, and
select .
Alternatively, you can deploy all configuration changes that were made since the last deployment.
Go to the Admin tab, and select .