All Products
Search

This Product

    Cloud Firewall:Tracing analysis

    Document Center

    Cloud Firewall:Tracing analysis

    Last Updated:Mar 31, 2026

    When a security incident occurs, you need to quickly reconstruct what happened — which packets were exchanged, what protocols were used, and what payloads were transmitted. Agentic NDR retains full packets for attack traffic and core asset traffic, then lets you analyze them in the browser or download them as packet capture (PCAP) files. Three complementary workflows cover the main investigation scenarios:

    • Protocol Session — parse application-layer sessions (HTTP, DNS, TLS) and correlate them with bidirectional traffic data

    • Attack Forensics — automatically preserve packets surrounding detected attack events for reproduction and forensics

    • Full traffic traceback — apply custom filter rules to retain raw traffic for specific assets

    Prerequisites

    Before you begin, make sure you have:

    • Provisioned asset traffic to Agentic NDR. See Provisioning. If traffic is not provisioned or collection is stopped, Agentic NDR cannot retain packets for the asset.

    • Enabled the protocol log delivery feature. See Enable log delivery.

    Important

    If protocol log delivery is not enabled, the Protocol Session feature does not generate data.

    Limitations

    ScopeLimit
    PCAP downloadFirst 5,000 packets per download
    PCAP generation tasksMaximum 99 tasks
    PCAP task retention30 days; tasks older than 30 days are automatically deleted
    Online PCAP Parsing — packet countMaximum 5,000 packets per parse
    Online PCAP Parsing — recent time rangeIf the query end time is less than 5 minutes from the current time, parsing may fail or return incomplete results. Wait a few minutes and try again.
    Online PCAP Parsing — generation timeIf packet generation takes longer than 10 seconds, close and reopen the page.
    Online PCAP Parsing — session integrityFor long-lived connections or large file transfers, partial results may be returned. Refresh the page after a few minutes to get complete session data.

    Analyze protocol sessions

    Protocol Session performs deep parsing of application-layer protocols — HTTP, DNS, and TLS — extracts detailed protocol fields, and correlates them with bidirectional full traffic data.

    1. Log on to the Agentic NDR console.

    2. In the left-side navigation pane, choose Investigate > Protocol Session.

    3. In the left-side panel, select filter conditions to narrow the log view by protocol type or other criteria.

    4. In the Actions column, click Details to view the full data contained in a specific traffic record.

    Investigate attack traffic

    Attack Forensics automatically retains packets immediately before and after a detected attack event. Only the relevant surrounding traffic is stored, which reduces storage costs while preserving enough context to reproduce and analyze the attack.

    1. In the left-side navigation pane, choose Investigate > Attack Forensics.

    2. Review the IP TOP10, IP Protocol, and Port rankings for packets retained around attack events.

    Configure retention settings

    The retention method determines how broadly Agentic NDR captures surrounding traffic when an attack is detected. Click Retention Settings in the upper-right corner, select a method, and click OK.

    MethodWhat is retained
    5-TuplePackets matching the exact attack flow (source IP, destination IP, source port, destination port, protocol)
    2-TupleAll packets exchanged between the suspect IP and the victim IP around the time of the attack — use this to find other activity between the same two hosts
    1-TupleAll packets from the suspect IP to any destination around the time of the attack — use this to identify other targets the attacker may have hit

    Analyze or download packets

    • Packet Analysis: Click Packet Analysis in the Actions column for a specific traffic stream, or click Packet Analysis to the right of the packet distribution chart to open the Online PCAP Parsing page. See Analyze packets online.

    • Generate PCAP: Click Generate PCAP in the Actions column (single stream), click Generate PCAP to the right of the chart (all packets), or select multiple entries and click Batch Generate PCAP at the bottom-left of the table. See Download PCAP files.

    Retain traffic with custom filter rules

    Full traffic traceback lets you define packet retention filter rules for specific assets. Two retention modes are available:

    • Automatic retention: Retains full packets based on threat alerts generated by Agentic NDR.

    • Manual retention: Retains full packets that match custom filter rules you define.

    Query retained packets

    1. In the left-side navigation pane, choose Investigate.

    2. Go to the Packet Retention > Packet Query tab to view IP TOP10, IP Protocol, and Port rankings for retained packets.

    3. Use Packet Analysis or Generate PCAP from the Actions column or the packet distribution chart, the same as in Attack Forensics.

    Create a retention filter rule

    1. In the left-side navigation pane, choose Investigate.

    2. Go to the Packet Retention > Packet Capture Policy tab and click Create Rule.

    3. In the Packet Retention Filter Rule panel, configure the parameters described in the following table.

    ParameterDescription
    Filter LogicAllowlist: retain traffic that matches this rule. Denylist: discard traffic that matches this rule; all other traffic is retained.
    5-TupleSource and destination IP addresses. 0.0.0.0/0 means no limit. Click image to switch between One-way and Bidirectional.
    Destination portA single port (for example, 80) or a port range (for example, 100-200). Use the drop-down list on the left to set the match condition.
    Layer 4 protocolThe transport-layer protocol to match. Default: all protocols. Use the drop-down list on the left to restrict to specific protocols.
    Max retention bytesMaximum bytes to retain per stream. Default: Unlimited. Select Custom to specify a value between 1 KB and 500 MB (default: 1 MB).
    Retention periodHow long to retain matching packets. Default: Unlimited. Options: Fixed Duration, Single Time Range, or Recurring cycle.

    1. Click OK. The rule takes effect immediately.

    On the Packet Capture Policy tab, you can Query, Copy, Stop, or Delete existing rules. Click Query to go to the Packet Retention > Packet Query page and view packets matched by that rule.

    Download PCAP files

    PCAP generation tasks package retained packets into downloadable files for offline analysis.

    1. In the left-side navigation pane, choose Investigate.

    2. Go to the PCAP Tasks tab to view all generated PCAP tasks.

    3. In the Actions column, click Download to save the packet data to your local computer.

    Analyze packets online

    The Online PCAP Parsing page provides browser-based packet inspection with protocol parsing and stream tracing.

    Read the packet list

    The upper section shows a table of packets in the selected time range. Each row represents one frame and includes: #, capture Time, Source Address, Destination Address, Protocol, Length, and a summary of key protocol fields in the Information column.

    Packets are color-coded by traffic type. Rules are applied in descending priority order — if a packet matches multiple rules, only the highest-priority color applies.

    Color styleTraffic typeTypical scenario
    Red text on a black backgroundTCP checksum error or bad packetNetwork packet loss or link anomalies
    Black text on a yellow backgroundARP packetAddress resolution or LAN scan
    Black text on a pink backgroundICMP packetPing, Traceroute, or network unreachable
    White text on a blue backgroundTCP RST (connection reset)Abnormal disconnection or firewall interception
    Black text on a green backgroundHTTP trafficWeb request or response
    Black text on a gray backgroundTCP SYN or FINNormal three-way handshake or four-way handshake
    Black text on a purple backgroundNormal TCP trafficApplication-layer data transmission (non-HTTP)
    Black text on a light blue backgroundUDP trafficDNS, NTP, video stream, and more

    To filter the packet list, enter a display filter expression in the search box. Standard Wireshark display filter syntax is supported, for example:

    • http — show only HTTP packets

    • dns — show only DNS packets

    • tcp — show only TCP packets

    • http && ip.dst == 1.2.3.4 — show HTTP packets destined for a specific IP address

    • ip.src == 10.0.0.1 && ip.dst == 10.0.0.2 — show all traffic between two hosts

    Inspect packet details

    Click any row in the packet list to open its details in the lower section.

    • Data Packet Details (Protocol parsing tree): Displays the protocol structure layer by layer from top to bottom — Frame → Ethernet → IP → TCP/UDP → application-layer protocol (such as HTTP or TLS). Each layer lists all fields and their values.

    • Linked highlighting: Clicking a field in the protocol parsing tree highlights the corresponding bytes in the Hexadecimal View, and vice versa. This helps you locate the exact position and encoding of any protocol field in the raw packet.

    • Trace Stream: For TCP, UDP, HTTP, or TLS sessions, click Trace Stream on the right side of the Data Packet Details area. A page opens showing the payload exchanged in the stream and automatically applies a stream filter to the packet list (for example, tcp.stream eq 0), letting you trace all packets in that session.