Export IPS traffic recordings

You can set IPS Inspection rules to record network traffic as a logging option in both the Exceptions and the Rules tree.

These recordings are stored on the Log Servers. Recordings generated by the Excerpt option are shown directly in the Logs view. Longer recordings, however, are meant to be viewed in an external application and are not directly viewable.

Tip: To display the Hex pane, select Menu > View > Panels > Hex.
To view the recording, you can:
  • Retrieve the recording through the log entry.
  • Define a Task for exporting IPS recordings.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Logs.
  2. Highlight the rows that are associated with recordings.
    Note: To browse for more entries that have a recording, change the selection in the Fields pane to Full Capture. (This selection is available when an entry that has an associated recording is selected.) The Record ID field is displayed with an identification number for entries that are associated with a recording.
  3. Right-click a selected entry, then select Export > Export IPS Recordings.
  4. From the File Export Format drop-down list, select the file format.
  5. Select where to export the file.
  6. Specify what happens when a previous file with the same name exists in the same folder.
  7. Click OK.
    The Task Status pane opens and shows the progress of the export.

Export Selected IPS Recordings dialog box

Use this dialog box to export the IPS recordings that have been captured.

Option Definition
File Export Format
  • Export IPS Recordings as PCAP — Exports in PCAP format.
  • Export IPS Recordings as SNOOP — Exports in SNOOP format.
Log Server Shows the servers from which you can export logs.
Destination file Specify a name for the destination file that you can export either to:
  • Server ('export' Directory — Exports to a file on the Log Server.

    Path: <installation directory>/data/export

  • Local Workstation — Saves the file on your computer.
If file already exists If the file exists, specify what happens when a previous file with the same name exists in the same folder:
  • Append — The new data is inserted at the end of the existing file. This option is not supported for traffic recordings.
  • Overwrite — The previous file is replaced with the new export file.
  • Use Number in File Name — A number is added to the end of the new file’s name.
  • Fail Task — The operation is canceled.
Open file after export

(Local Workstation exports only)

When selected, the exported file opens in the operating system's default application for the file type after the export operation completes.