Packet capture for IPS logs with "Prevent" or "Detect" actions does not show the desired number of packets

Support Center > Search Results > SecureKnowledge Details

Technical Level

Symptoms

Packet capture in an IPS log with a "Prevent" action shows only one packet.
If the action is "Detect", not enough packets are captured as per the user's requirements.

Cause

This behavior is by design: Threat Prevention packet captures behave in the following manner according to the current architecture:

If the connection was blocked (action Prevent), we save only the last packet.
If the connection continues (action Detect), we save 100kb by default (configurable).

Solution

Note: To view this solution you need to Sign In .