Full packet recording, replay, and forensic analysis
When you need to see exactly what happened on the wire, Tophan’s packet capture system records full packet data from any virtual port, stores it, and lets you replay and analyze it from Dragon’s Eye. No need to SSH into hosts and run tcpdump — capture, filter, and export from the dashboard.
Packet capture taps into OVS mirror ports to record traffic without affecting the data path. You can capture from a single VM port, an entire port group, or a VLAN. Captures can be triggered manually, scheduled, or started automatically when an IDS alert fires.
Recorded captures are stored with full metadata — timestamp, source port, trigger reason, duration, and size. The built-in protocol analyzer decodes common protocols (HTTP, DNS, TLS handshakes, database wire protocols) and presents conversations in a readable timeline.
For forensic investigation, captures can be filtered by time range, IP, port, protocol, or payload content. Export to standard pcap format for analysis in external tools when needed.
Rolling capture mode maintains a configurable buffer of recent traffic per port group, so when an incident occurs you already have the packets from before the alert fired.
| Feature | Description |
|---|---|
| On-Demand Capture | Start/stop capture on any port or port group from the dashboard |
| Rolling Buffer | Continuous background capture with configurable retention |
| Alert-Triggered | Automatic capture start when IDS/IPS alerts fire |
| Protocol Analysis | Built-in decoder for HTTP, DNS, TLS, SMB, and more |
| Conversation View | Reconstructed application-layer conversations in timeline |
| Payload Search | Full-text search across captured packet payloads |
| PCAP Export | Standard pcap/pcapng export for external analysis |
| Storage Management | Automatic rotation and compression of aged captures |