PCAP action does not exist in the actions menu

[foxman0719]

Version

2.4.110

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

16

RAM

64

Storage for /

1T

Storage for /nsm

8T

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I want to analyze packets in the PCAP option but they do not appear and I cannot send them from the actions menu because the option is not there.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[dougburks]

Looking at your first screenshot, it appears you are looking at the default Alerts view which is Grouped by Name, Module. If you select the Drilldown option on the context menu, then it should show you the individual alerts themselves. If you then click on an individual alert, you should see the PCAP option on the context menu.

From https://docs.securityonion.net/en/2.4/alerts.html#actions:

Clicking the PCAP option will pivot to the PCAP interface to retrieve full packet capture for the selected stream. This option will only appear if you click on a log that contains source IP, source port, destination IP, destination port, etc.

[foxman0719]

is ok, thanks for your help