This section describes how to use PCAP Replay. With PCAP Replay, an analyst can upload one or more PCAP files for NetMon to reprocess for further analysis. Two additional metadata fields are available for replayed traffic:
- Replayed. Set to true if the traffic has been replayed. This is useful for filtering to view only replayed traffic.
- PcapFilename. Set to the filename of the uploaded PCAP file. This can be used to isolate one or more replayed PCAPs for analysis.
Replayed PCAPs are analyzed the same as live traffic, including the application of all enabled Deep Packet Analysis rules. PCAP replay can also be useful when creating new DPA rules.
To replay one or more PCAP files:
- On the top navigation bar of the Web Management interface, click Replay.
The PCAP Replay page appears.
Either drag your PCAP into the uploader or click upload PCAPs, browse to the directory where PCAPs are saved, select files to upload, and then click Open.You can select up to 20 files per replay session. The total size of all selected PCAPs should not be more than 2 GB. If the total size exceeds 2 GB, NetMon could drop packets during analysis. Additionally, note that uploaded PCAPs are processed along with live traffic, which could impact performance and analysis.
The selected PCAPs are loaded into NetMon.
Upload or remove the displayed PCAPs as follows:
Click To... Browse for more PCAPs and add to the list in NetMon. Upload the corresponding PCAP in the list. Remove the corresponding PCAP from the list. Upload all remaining PCAPs in the list. Remove all PCAPs that have been added to the list for uploading.
After clicking the upload icon or Upload All, NetMon begins processing the PCAP files. Results are available for analysis when processing is complete. Processing time may range from seconds to several minutes depending on PCAP file size, NetMon system load, and other factors.
- To view replayed traffic for all uploaded PCAPs, click the Replayed Traffic Dashboard link.
You can also view uploaded PCAPs on any dashboard using the appropriate metadata filters. Individually uploaded PCAP file names are linked to the Analyze Dashboard view, which is pre-filtered to show only that individual PCAP.