Analyze Captured Sessions

You can download captured sessions (captures) for further investigation. For example, you might need to look into the raw, unprocessed files for forensics or for legal matters.

Files are downloaded in PCAP file format, which you can open in a program such as Wireshark. Depending on your browser settings, session data is saved in your default download location, or you can specify a location and optional file name.

When you request a download, NetMon displays status and progress in different dialogs. When a download is successful, it is indicated in the same dialog.

If a session exceeds the maximum size set by Processing Threads, downloaded data could be truncated.

1. Open the NetMon Web Management interface.
2. On the top navigation bar, click Analyze, and then click Capture Dashboard.

3. Scroll down to the Capture Table.
   Each row in the table represents a periodic update of a session or flow.

4. In the Captured column, click the download icon for the capture that you want to download.

5. NetMon queues the download and prompts you for a filename and download location.
   Single PCAPs are packaged in a .zip archive.

6. To download multiple captures, select the check box for each capture you want to download.
   Alternatively, click the menu to the right of the Captured header to select all sessions. From this menu, you can also download all sessions.

   

   When selecting all captures, you must choose whether you want to download all visible captures or all available captures. The maximum number of captures you can download at one time is 200.

7. Click the download icon for one of the selected sessions.
   When downloading multiple sessions, PCAPs are grouped in a "pcap" folder and packaged in a .zip archive.

   

   Mac OS X users need to install an application to extract the contents of downloaded .zip files. For this purpose, p7zip can work well.