All Products
Search

This Product

    Cloud Firewall:Tracing analysis

    Document Center

    Cloud Firewall:Tracing analysis

    Last Updated:Feb 11, 2026

    Network Detection and Response (NDR) retains full packets of attack traffic and core asset traffic. NDR supports various scenario-based retention methods, such as retaining packets for attack events and their context. You can also configure custom filter conditions for packet retention to meet specific raw traffic retention requirements.

    Prerequisites

    • Asset traffic must be provisioned to NDR. For more information, see Provisioning. If traffic is not provisioned or traffic collection is stopped, NDR cannot retain packets for the asset.

    • The protocol log delivery feature must be enabled. For more information, see Enable log delivery.

      Important

      If protocol log delivery is not enabled, the Protocol Parsing and Tracing feature does not generate data.

    Protocol parsing traceback

    This feature detects and performs deep parsing of various application-layer protocols, such as HTTP, DNS, and TLS. It extracts detailed protocol fields and associates them with bidirectional traffic load information for traceback analysis.

    1. Log on to the Network Detection and Response console.

    2. In the navigation pane on the left, choose Detection and Response > Tracing Analysis.

    3. On the Protocol Parsing and Tracing tab, you can view and parse logs of different types. You can select specific conditions in the left-side panel to filter logs.

    4. In the Actions column, click Details. In the Details panel, you can view the detailed data within the traffic.

    Attack packet traceback

    This feature automatically retains traffic from attack events, including the traffic immediately before and after the events. This process requires no manual intervention. It helps you avoid high storage fees for unnecessary traffic while balancing retention requirements and costs. This feature also simplifies packet capture for reproducing attack traffic.

    1. In the navigation pane on the left, choose Detection and Response > Tracing Analysis.

    2. On the Attack Packet Tracing tab, view the rankings of IP TOP10, IP Protocol, and Port for packets retained from before and after attack events.

      • Retention Settings:

        1. Click Retention Settings in the upper-right corner of the list.

        2. In the Retention Settings dialog box, select a retention method for attack packets based on your business scenario, and then click OK.

          • 5-tuple retention: Retains attack packets based on attack events.

          • 2-tuple retention: When NDR detects an attack from a suspect IP address to a victim IP address, you can use this method to analyze other attack packets sent from the suspect IP to the victim IP before and after the attack.

          • 1-tuple retention: When NDR detects an attack from a suspect IP address to a victim IP address, you can use this method to analyze attack packets sent from the suspect IP to other victim IP addresses before and after the attack.

      • Packet Analysis: Find the target packet stream and click Packet Analysis in the Actions column. Alternatively, you can click Packet Analysis to the right of the packet distribution graph. You are then redirected to the Online PCAP Parsing page. For more information, see Packet analysis management.

      • Generate PCAP:

        • Find the target packet stream and click Generate PCAP in the Actions column. A PCAP generation task is automatically created. You can also click Generate PCAP to the right of the packet distribution graph to generate a PCAP file for all packets. Alternatively, you can select multiple packet data entries and click Batch Generate PCAP at the bottom-left of the table.

        • On the PCAP generation task tab, you can view the created PCAP tasks and download the PCAP data. For more information, see PCAP generation task management.

    Full traffic retention traceback

    This feature lets you configure custom filter rules for full packet retention. You can retain full traffic for specific assets as needed. This method helps save costs and lets you reproduce and analyze raw traffic for key services.

    Packet retention search

    NDR offers the advantage of automatic full packet retention. However, retaining all raw packets indefinitely can lead to high costs. NDR provides both automatic and manual packet retention methods to help you retain necessary packet data for further analysis more efficiently and cost-effectively.

    • Automatic retention: Automatically retains full packets based on threat alerts.

    • Manual retention: Retains full packets based on custom retention filter rules.

    1. In the navigation pane on the left, choose Detection and Response > Tracing Analysis.

    2. On the Traffic Retention and Tracing > Packet Query tab, view the rankings of IP TOP10, IP Protocol, and Port for the retained packets.

    3. Packet Analysis: Find the target packet stream and click Packet Analysis in the Actions column. Alternatively, you can click Packet Analysis to the right of the packet distribution graph. You are then redirected to the Online PCAP Parsing page. For more information, see Packet analysis management.

    4. Generate PCAP: Find the target packet stream and click Generate PCAP in the Actions column. A PCAP generation task is automatically created. You can also click Generate PCAP to the right of the packet distribution graph to generate a PCAP file for all packets. Alternatively, you can select multiple packet data entries and click Batch Generate PCAP at the bottom-left of the table.

      On the PCAP generation task tab, you can view the created PCAP tasks and download the PCAP data. For more information, see PCAP generation task management.

    Configure packet retention filter rules

    You can set filter rules for packet retention based on your core business assets.

    1. In the navigation pane on the left, choose Detection and Response > Tracing Analysis.

    2. On the Packet Filter Rule tab, click Create Rule.

    3. In the Packet Filter Rule panel, configure the following parameters.

      • Filter Logic:

        Whitelist: Retains traffic that matches the rule. Blacklist: Does not retain traffic that matches the rule. All other traffic is retained.

      • 5-Tuple: Configure the source IP and destination IP (0.0.0.0/0 indicates no limit). Click image to select a One-way or Bidirectional filter rule.

      • Destination Port: Specify a single port or a port range, such as 80 or 100-200. Configure the port filter rule based on the selection in the drop-down list on the left.

      • Layer 4 Protocol: Configure the protocol filter rule. By default, all protocols are selected. Configure the protocol filter rule based on the selection in the drop-down list on the left.

      • Max Retention Bytes: The default value is Unlimited. You can also select Custom to specify the number of bytes to retain per stream. The default value is 1 MB. The value must be between 1 KB and 500 MB.

      • Retention Period: The default value is Unlimited. You can also select Fixed Duration, Single Time Range, or Recurring cycle.

    4. After you complete the configuration, click OK.

      The rule takes effect immediately.

    On the Packet Filter Rule tab, you can also Query, Edit, Stop, or Delete existing rules.

    Clicking Query redirects you to the Traffic Retention and Tracing > Packet Query page, where you can view the details of packets retained by that rule.

    PCAP generation task management

    1. In the navigation pane on the left, choose Detection and Response > Tracing Analysis.

    2. On the PCAP Task Generation tab, you can view the created PCAP generation tasks.

    3. In the Actions column, click Download to download the packet to your local computer for further analysis.

    Important

    A PCAP download contains a maximum of the first 5,000 packets. You can create a maximum of 99 PCAP generation tasks. PCAP tasks are retained for 30 days. Tasks older than 30 days are automatically deleted.

    Packet analysis management

    On the Online PCAP Parsing page, you can perform the following operations:

    • View the packet list: The upper part of the page displays a list of data packets within a specified time range in a table. Each row corresponds to a frame and includes the following information: #, packet capture Time, Source Address address, Destination Address address, Protocol, Length, and a summary of key protocol fields in the Information column.

      The system highlights data packets with colors based on the rules listed in the table below. The rules are prioritized from high to low. If a single data packet matches multiple rules (for example, it is both HTTP traffic and contains a TCP RST flag), only the color of the highest-priority rule is applied.

      Color Style

      Traffic Type

      Typical Scenario

      Red text on a black background

      TCP checksum error / Bad packet

      Network packet loss, link anomaly

      Black text on a yellow background

      ARP message

      Address resolution, local area network scan

      Black text on a pink background

      ICMP message

      Ping, Traceroute, network unreachable

      White text on a blue background

      TCP RST (connection reset)

      Abnormal disconnection, firewall interception

      Black text on a green background

      HTTP traffic

      Web request/response

      Black text on a gray background

      TCP SYN or FIN

      A standard three-way or four-way handshake

      Black text on a purple background

      Normal TCP traffic

      Application layer data transmission (non-HTTP)

      Black text on a light blue background

      UDP traffic

      DNS, NTP, video stream, etc.

      In the search box at the top, you can filter data packets by specifying filter conditions. The search box supports standard display filter syntax, such as http && ip.dst == 1.2.3.4.

      Note

      • Packet generation time: If the number of packets is large, the generation process may take a long time. If the process is not complete after 10 seconds, you can close and reopen the page.

      • Packet count limit: A maximum of the first 5,000 packets can be parsed.

      • Recent time range query limit: If the end time of the query range is less than 5 minutes from the current time, some packets may not have been collected. In this case, the system cannot parse any data. You must wait for the data to be collected.

      • Session integrity: Even if some results are returned, the corresponding session may still be in progress, such as a persistent connection or a large file transfer. In this case, subsequent packets may not have arrived. To obtain complete session data, wait for a few moments and then refresh the page.

    • View packet details: Click any data packet row in the packet list. The details are displayed in the lower part of the page, including Data Packet Details and the Hexadecimal View.

      • Data Packet Details (Protocol parsing tree): This view displays the protocol structure from top to bottom by encapsulation layer: Frame → Ethernet → IP → TCP/UDP → Application-layer protocol (such as HTTP, TLS). Each layer lists all the fields and their values for that protocol.

      • Protocol and hexadecimal byte interaction: Click any field in the protocol parsing tree on the left. The corresponding bytes in the hexadecimal view on the right are highlighted. Click any byte in the hexadecimal view on the right. The corresponding protocol field in the parsing tree on the left is highlighted. This interaction helps you intuitively understand the position and codec of protocol fields in the raw packet.

      • Track communication stream: For TCP, UDP, HTTP, or TLS sessions, you can click Trace Stream on the right side of the Data Packet Details area. A page appears and shows the payload data exchanged between the two parties in the communication stream. It also automatically applies the corresponding stream filter in the packet list (for example, tcp.stream eq 0). This makes it easy to trace all related data packets for that stream.