Grouped QRadar Network Packet Capture appliances

Use the QRadar® Network Packet Capture grouping feature to group multiple physical appliances together to form a single logical entity for administration and searching. By using the grouping feature, multiple tap points and multiple QRadar Network Packet Capture appliances can be accessed and operated as if they were one appliance.

A QRadar Network Packet Capture group can capture data from separate network taps. You must configure all the QRadar Network Packet Capture appliances to access all of the QRadar Network Packet Capture group members on the management network interface, and the network must have a DNS server.

When you group QRadar Network Packet Capture appliances, you can search all group members data with a single data query. The search result is a single PCAP file, that contains data merged from all group members.

You only need to log in to one of the members to access the entire group. From this single login, you can communicate by proxy with all other members of the QRadar Network Packet Capture group.

The proxy functionality is primarily intended for administration, configuration and debugging of remote appliances. If a search is initiated that spans the whole group, while the user is on a remote QRadar Network Packet Capture appliance through the proxy method, a significant amount of redundant traffic is transmitted across the management network. This impacts retrieval performance depending on the bandwidth and latency of the management network. Consequently, searches spanning a QRadar Network Packet Capture group must always be initiated on the primary or local machine, without any hub or proxying.