Events View - Packet Tab

The Packet tab is in the Event Details panel. Here you can safely view and interactively analyze the packets and payload of an event.

Workflow

netwitness_wkflow-packetpnl.png

What do you want to do?

User Role I want to ... Show me how

Incident Responder or Threat Hunter

review detections and signals seen in my environment

NetWitness Platform Getting Started Guide

Incident Responder

review critical incidents or alerts

NetWitness Respond User Guide

Threat Hunter query a service, metadata, and time range

Begin an Investigation in the Events View

Begin an Investigation in the Navigate or Legacy Events View

Threat Hunter

view metadata*

Filter Results in the Navigate View

Drill into Metadata in the Events View

Threat Hunter

view sequential events*

Filter Results in the Events View

Filter Results in the Legacy Events View

Threat Hunter

reconstruct and analyze an event*

Examine Event Details in the Events View

Reconstruct an Event in the Legacy Events View

Threat Hunter examine files and associated hosts*

Download Data in the Events View

Export or Print a Drill Point in the Navigate View

Export Events in the Legacy Events View

Threat Hunter perform lookups*

Look Up Additional Context for Results

Launch a Lookup of a Meta Key

Threat Hunter create an incident or add to an incident

Add Events to an Incident in the Legacy Events View

Add Events to an Incident in the Events View

Threat Hunter

add a meta value to a Context Hub list*

Look Up Additional Context for Results

*You can perform this task in the current view.

Related Topics

Quick Look

Only network events can be analyzed in the Packet panel. The Packet panel lists each packet in the event. The list of packets is scrollable. When you scroll, the packet or text identification information as well as the Request and Response labels remain visible rather than scrolling out of view.

In Version 11.1 and later, you can use pagination controls to go backward and forward through the pages, go to a specific page, and select the number of packets to display per page (50, 100, 300, or 500).

Each packet is displayed with shading and highlighting to help identify common file patterns: significant header and payload bytes, hexadecimal and ascii bytes, and common file signatures. In addition, you can adjust the request/response display, and display or hide the packet summary.

Below is an example of the Packet panel (formerly known as Packet Analysis) with labels to identify features. For details and examples of each feature, see Analyze Events in the Events View.

packet_reference.png

1 Options for exporting a network event. You can export a PCAP, all payloads, request payloads, or response payloads for deeper analysis and to share with others.
2 The option to identify common file signatures is activated by default. Common file signatures are highlighted in orange; hovering over the highlight reveals the file type.
3 The Shade Bytes option adds shading to identify the different hexadecimal bytes (00 to FF) using degrees of highlighting.
4 The option to display payloads only hides the packet headers, leaving more space for the payload.
5 The Overview panel information.
6 Significant bytes are highlighted in a blue background; as you move the cursor over the highlighting the meta data is displayed in a hover box.
7

(Version 11.1 and later) Packet pagination controls allow more flexibility in paging through a list of packets. When a control is unavailable, the image is dimmed; for example, when you are viewing page 1, the netwitness_paginatoingotopg1.png and netwitness_pagprevpage.png controls are dimmed.

netwitness_paginatoingotopg1.png - Go to the first page

netwitness_pagprevpage.png - Go to the previous page

netwitness_pagselnum.png - Go to a specific page

netwitness_pagnxtpg.png - Go to the next page

netwitness_paglstpg.png - Go to the last page

netwitness_pagpktperpg.png- Select the number of packets per page. If you are reconstructing large packets, lowering this limit can improve performance.