Adding packet capture devices to QRadar Incident Forensics hosts

Packet capture devices process captured packet data for forensics recoveries. You can connect packet capture devices to an IBM® QRadar® Incident Forensics managed host or IBM QRadar Incident Forensics Standalone host.

If no packet capture device is attached, you can manually upload the packet capture files in the user interface or by using FTP.

Before you begin

You must have QRadar Incident Forensics installed.
  • For distributed installations, install the QRadar Console on one appliance and QRadar Incident Forensics Processor on another appliance.
  • For stand-alone deployments, install only the QRadar Incident Forensics Standalone component.

For more information, see Installing QRadar Incident Forensics.


  1. Log in to QRadar Console as an administrator:


    The default user name is admin. The password is the password of the root user account that was entered during the QRadar installation.

  2. On the navigation menu ( Navigation menu icon ), click Admin.
  3. In the System Configuration pane, click System and License Management.
  4. From the host table, select the QRadar Incident Forensics appliance.

    In a distributed deployment, the QRadar Incident Forensics Processor has Appliance Type 6000.

    In a stand-alone deployment, the QRadar Incident Forensics Standalone host has Appliance Type 6100.

  5. Click Deployment Actions > Edit Host.
  6. Click Component Management.
  7. To add packet capture devices, click the add icon (+) and enter the information about the device.

    For stacked configurations in QRadar Network Packet Capture, add only the Stack Controller. Don't add the IP addresses for each Stack Node.

  8. Click Save.
  9. To deploy changes from the current session, go to the Admin tab, and select Advanced > Deploy Changes.

    Alternatively, you can deploy all configuration changes that were made since the last deployment.

    Go to the Admin tab, and select Advanced > Deploy Full Configuration.