No PCAPs

[plaotec]

S.0 v2.3.220

I see files in nsm/pcap folder but no PCAPs are appearing in S.O GUI > PCAP or under Events/Alerts

Not seeing menu option to pivot to PCAP in Hunt or Alert or other menus....

so-steno service shows ok from so-status

Thanks
Pat

[plaotec]

Another question please , I am using ens192 interface IP to access the GUI interface

if i add ens192 as sensing interface also using so-monitor-add ens192 , the interface lost its IP Address and I can't get to the GUI anymore

[eb-op]

Hi plaotec,

For the PCAPs not showing up in the PCAP tab in SOC, you would not see anything in there initially. That is to give you a way of pulling PCAPs being recorded by stenographer. For the option to pivot to PCAP, are you looking under the Actions drop-down menu? I would highly recommend looking through the documentation for this, located here: https://docs.securityonion.net/en/2.3/pcap.html

The so-monitor-add script puts an interface into promiscuous mode and adds it to a bond0, the interface you add to the bond0 should not be your management interface. You can rerun setup and go through the network setup to fix this issue.

Hope this helps.

[plaotec]

Got it now .. able to see the PCAP now thanks!!!

[plaotec]

Sorry can Sensing Interface be configured with an IP address?