Search In Packet Logs
You can now search for arbitrary strings in the historical packet logs directly. The only requirements for this search is at least 1 IP address in addition to the search string.
For example in the search below we are looking for the IP address 220.127.116.11 in any packet either sent or received by the host 18.104.22.168. The search is also restricted to an hour worth of packets on 5/7/2018.
So why would you look for an IP address string in the packets? Well, this is normally done when there is more than one proxy and the system is not able to properly identify the proxy chain. In that case the offending IP will be recorded in the x-forwarded-for field of the http headers. Once you find the headers, you can find the real flows and then search again to get the data exchanged specifying the source and destination ports.
But this search feature is much more powerful than that; in fact you can also look retroactively in your packet history using full PERL regular expressions!
If you reached this far in this post, and you are an expert user, you will be wondering about the example above. The search string above would actually match more than 22.214.171.124 because the dots really mean any character (for example 139a182b44c203 would also match). To be more precise you would need to enter:
But suppose you wanted to match a specific set of IP addresses
126.96.36.199 188.8.131.52 184.108.40.206
Using a regular expression you could search for:
Just imagine what you could search for when you are hunting down specific strings or patterns. So, this little new feature (also available through the CLI interface as the option -Q) should really expand the power of our historical packet logging system. It will let you easily dig in your network history for hidden clues of what happened in the past.