Administration - Authentication : Capture Jobs : Downloading Packets From a Capture Job
  
Downloading Packets From a Capture Job
After packets have been captured, you can save them to a trace file to examine them. Note that for Host Groups, IP addresses, and VIFGs associated with an alert, right-clicking in the Alert Event Details Insight gives you the option of accessing captured packets, using the Download Packets command (for IP addresses and VIFGs) and Packet Download Preview command (for Host Groups).
Observe these important considerations when downloading packets:
n Refer to Packet Capture Download Optimization for information about capture jobs that have been optimized for capture speed or optimized for download speed.
n If volume initialization is in process, you may observe a drop in packet download speeds of up to 50%. This can occur when a RAID 5/6 initialization has been initiated on the system and a packet download is executed before the initialization is complete.
To save captured packets as a trace file:
In order to be to download a packet trace, you need to have at least Read-Only access to Network packets.
1. Go to the Administration > General Traffic Settings: Capture Jobs/Interfaces page, and click the Capture Jobs tab.
2. Click Download Packets to open the Download Packets dialog. The Packet Download Statistics section of the dialog is not populated until the approximate size of the capture job download has been estimated. This estimate will give you some idea of how long the download process could take.
3. Specify an export time interval. You can change this time range at any time without needing to click Restart Download; the packet download estimate will update automatically. The updated time range will be taken into consideration when you execute the download.
4. Select the file format and time stamp resolution desired.
5. Select the number of bytes in each packet to be exported.
6. Specify a BPF definition if you want to download only a specific subset of the data in the capture job. The BPF is not validated automatically, and is not taken into account in the estimated size of the download. Any issues caused by an invalid BPF will be cited after the download has executed completely.
7. Click Download Packets to send the packets to a trace file on your local system. The export object is available for a limited amount of time only (three minutes), so the download should be executed promptly after the export process is complete. If the packets are not downloaded promptly and the export object times out, it will be necessary to re-execute the export process.