IBM Security QRadar Packet Capture (QPCAP) is a network traffic capture and search application. The QRadar Packet Capture appliance has only one capture port (DNA0). You can install either a 10G or 1G SFP transceiver.

With QRadar Packet Capture, you can capture network packets at rates up to 10 Gbps from a live network interface. This device can write captured packets to pcap files without any loss.

You can use QRadar Packet Capture to search captured network traffic by time and packet envelope data. If you have sufficient appliance resources and tailored searches, you can use search and recorder data simultaneously without data loss.

QRadar Packet Capture appliances that have a 10G transceiver supports clusters. This function expands the overall data storage and computational ability when compared to a single standalone server. QRadar Packet Capture appliances that have a 1G transceiver do not support clusters.

QPCAP is usually used with the conjunction of QRadar Incident Forensic (QRIF), because QRIF let you search inside the collected and stored data.

Incident Forensic
Example of Incident Forensic Deployment

Some features included with QRadar Packet Capture:

  • Standard PCAP file format:
    A file format used to store network traffic. The file format integrates
    with existing third-party analysis tools.
  • High-performance packet-to-disk recording
  • Capture network packets from a live network.
  • Multi-core support
    QRadar Packet Capture (QPCAP) is designed for use with multi-core architectures.
  • Direct-IO disk access
    QRadar Packet Capture uses direct IO access to disks to obtain greatest
    disk writes throughput.
  • Real-time indexing
    QRadar Packet Capture (QPCAP) can produce an index automatically during packet
    capture. Because of that the index can be queried with Berkeley Packet Filter (BPF) like syntax and/or HTTP domain or base URL strings to quickly retrieve interesting packets in a specified time interval.
  • Cluster-capable to increase capture data capacity (10G edition only).
    You can enable data nodes to create a cluster for added storage capacity.
  • Dump format
    The system saves capture files in the standard PCAP format with timestamps in microsecond resolution. QPCAP is storing captured files in sequential order based on the file size in directories. When the space in the directory becomes full, there are preconfigured recording parameters applied. The system is overwriting older capture files based on mentioned parameters.
  • Capture Speed
    For the PCAP appliances, the speed of capturing network traffic depends on whether you have data nodes attached to the master node or not. If you have the packet capture appliances that don’t have data nodes attached, the maximum capture speed is up to 7 Gbps. For the appliances that have data nodes attached to the master node, the capture speed increases up to 10 Gbps.

QRadar Network Insight (QNI) can be considered as a replacement for QPCAP and QRIF although it has slightly different functionalities.