We have added support for logging the first 512,1024,2048,4096 bytes of each session rather than the full session. You can select how much of a session length to log in the sensor configuration page under the Store packets on Sensor option.
Unless you have a requirement to log all packets, we recommend changing the default all to 1024 or 2048. This does the following:
- Makes much more efficient use of the disk space (you can record important payloads for much larger time windows).
- When querying for packet data, you will see both sides of the session (client requests and server replies). This helps in getting better context when doing forensic analysis.
Also, we have added some color coding to better discern the two different sides of the conversation.
The only drawback of selecting a session size other than all is that the file carving function accessible through Look for Files in Flow(s) may not be able to reconstruct files unless one of the two IP addresses was tracked due to an incident report.
If you want to carve files for arbitrary flows (regardless of incident reports), you need to keep the session length set to all.
As always, let us know if you have any questions! Do not hesitate to call us or send us email.