Upload a Packet Capture File

There are occasions when you want to analyze a packet capture file that is not available on the service you are using. You can upload a file captured on another service to NetWitness. Supported packet capture file types are pcap and pcap.gz.

When a packet capture file is uploaded to a Decoder, the Decoder creates sessions from the packet capture file packets. These sessions are added to the already decoded sessions on the Decoder and are available for analysis. NetWitness includes a filename tracking option that makes searching for a particular set of sessions easier. When the packet capture file is uploaded with file tracking, the Decoder adds meta to the sessions based on the uploaded filename. You can then filter sessions for analysis using that meta.

The option to upload a packet capture file is dimmed when other Decoder operations prevent an upload from occurring; for example, when the Decoder is capturing packets.

To select and upload a packet capture file:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.

    The Administration Services view is displayed.

  2. Select the Decoder name, and netwitness_ic-actns2.png> View > System.

    The Services System view for the Decoder is displayed.

  3. In the toolbar, click Upload Packet Capture File.

    The Upload Packet Capture File dialog is displayed.

    netwitness_104uploadpacketcaptfile.png

  4. To choose a capture file, click Select.

    A directory view is displayed.

  5. Browse the directory and select the packet capture file that you want to upload.

    The filename is displayed in the Upload File (pcap, pcap.gz) field.

  6. If you want the Decoder to add meta to the sessions based on the filename, click the checkbox next to Track Filename.

  7. To upload the file, click Upload.

    A progress bar shows upload progress.

    Upload time varies depending on the size of the file. When the file upload is complete, a status message is displayed. The file is now available for investigation.

Simultaneous Import and Capture

You can import or upload PCAPs while the capture is running using RESTful API. Make a note of the following points before you start importing during capture:

  • The source file metadata is not created for imported PCAPs when the capture is running. If capture is stopped, the source file metadata is created as in older versions.

  • The NWD files can be imported, but not while the capture is running. If you attempt to import an NWD file while the capture is running, the Decoder returns an error. An active import will block starting/stopping of import and capture.

  • The file tracking meta is not created during the simultaneous import and capture.