QRadar Network Packet Capture searches and queries

To look for specific packets within a specific time range, and from a specific port, use the SEARCH tab. When you specify any combination of source IP, destination IP, source port, destination port, or protocol fields a QRadar® Network Packet Capture Query Language (NTQL) string is generated. You can modify the NTQL string, or you can create your own NTQL expression from scratch.

For example, to optimize NTQL, change dst host to host, or change the and expression to an or expression between the source IP and destination IP addresses.

Multiple searches

You can run multiple simultaneous searches.
Note: If you start five or more searches in quick succession, with auto-download enabled, you might experience a slow response rate. This is a web browser limitation due to the number of simultaneous connections.

Limiting search results

To limit search results and reduce the time that it takes the search to deliver results, add scope to the search by using one of the following filters:
  • Time Interval
  • Receive Ports (selected ports)
If you are searching on a group of QRadar Network Packet Capture appliances (see Grouped QRadar Network Packet Capture appliances), make sure that you submit search queries only when logged on to the local appliance. Otherwise, retrieval performance of search results is impaired.

You can also use Search Targets to specify which appliances in a stack you want to search.

The format of the search output is in either standard PCAP or PCAP-NG format. The PCAP-NG format contains port number information, even for searches across a group of QRadar Network Packet Capture appliances. For each server in the group, you can also specify the received ports to search for traffic.

FCS (Frame Check Sequence) information is also returned in this search output. This information is sent in addition to the packet data.

Before you submit the search, you can queue the search if the search engine is busy. You can choose whether or not the output should be automatically downloaded as soon as the search is completed, and you can prioritize different searches.

Differences between NTQL and BPF

Use NTQL to accelerate searches based on the index that is built during capture.

NTQL filters work differently than Berkeley Packet Filters (BPF). The following examples describe how NTQL filters work:
  • When you search for an IP address, all packets that have this IP address are returned independent of any VLAN, MPLS or ISL tagging or encapsulation.
  • When you search for specific TCP or UDP ports, the results that are returned include IPv6 packets with extended headers.

BPF post-filtering is based on the full BPF syntax. You create the BPF expression and this BPF post-filtering filters only the packets that pass the specified NTQL filter.

BPF filters work differently from NTQL and might remove packets that were found by the NTQL filter.