PCAP format is a standard file format for files that contain packet data. PCAP files are presented in some detections to enhance a security analyst's investigation into a triggered detection.
This is achieved using a “rolling buffer” where packets are written to disk in real-time. Packets are “rolled off” at the end of the buffer when storage limits are hit.
Depending on system load and traffic throughput, PCAP files will be stored and available for download for a minimum of 30 minutes and for as long as several hours.
To limit rolling buffer load and PCAP size, the rolling buffer stores up to 50 packets from the beginning of each flow. Certain protocols have additional packets stored into the rolling buffer. This strategy optimizes the use of the space and bandwidth available for the rolling buffer and ensures that a security analyst has the most useful data available when investigating detections while not saving data to the rolling buffer that a security analyst would not find useful.
When a detection fire or new activity is observed for a detection, Cognito will reach into the rolling buffer, identify the relevant packets, and form those packets into a detection-specific PCAP. This PCAP will then be attached to the detection and made available to download.
Depending on the timing of the detection, the protocol in use, and the traffic load on the appliance, it is possible for the PCAP to contain fewer packets than the full flow.
In extreme cases, where the AI system has taken considerable time to identify the behavior or the detection occurred later in a packet stream, the PCAP may be absent entirely. This is normal behavior and not an indicator of a problem.
Customers requiring access to all packet data should investigate the use of the Cognito Stream or Cognito Recall products. These products extract metadata from the packets and save this data for longer periods, avoiding the burden of saving, indexing, and searching full packet data while maintaining a high-quality metadata source.