Accelerate investigations with precise packet capture and one-click SIEM retrievals.
STORE PACKETS LONGER, FIND THEM FASTER
Smart PCAP is a highly efficient approach to packet capture that links Zeek® logs, extracted files, and detections with just the packets you need for investigation.
Corelight's Smart PCAP gives security teams complete control over packet capture. Compared to full PCAP, it extends investigation lookback windows from days to weeks or months by capturing only the packets needed. Accelerate investigations by pivoting quickly from Corelight alerts to PCAP files with one-click packet retrieval right from your SIEM.
- Up to 10x longer lookback windows vs. full PCAP
- Set precise, powerful rules to capture only useful packets
- Flexible storage options via Corelight, BYO hardware, or the cloud (S3)
- Pivot quickly from alert to PCAP files with one-click retrieval via SIEM or Investigator
How it works
With Corelight Sensors in place, you can configure external packet storage via Corelight, BYO hardware, or cloud storage (Amazon S3). Corelight’s sensor management console lets analysts create new capture rules at configurable byte-depths based on capture triggers such as alerts, protocol type, and encryption status. Analysts can then retrieve packets via their SIEM or Corelight Investigator by clicking the PCAP URL embedded in the connection log, which opens the packets in Wireshark for further analysis.
100% network coverage
Configure Smart PCAP to capture packets for all connections not already captured via Corelight logs, and also capture the first 2,000 bytes of all unencrypted traffic. This configuration drives comprehensive network visibility by giving security teams a source of evidence for every connection in their environment via Corelight logs, captured packets, or both.
Corelight Smart PCAP tracks protocol activity across ports, and directly integrates with the security gold-standard for network evidence—Zeek—as part of the Open NDR Platform.