Cisco Cisco Firepower Management Center 4000

At any point in the process, you can save the constraints as a set of search criteria. For example, if you 
find that over the course of a few days your network is being probed by an attacker from a single IP 
address, you can save your constraints during your investigation and then use them again later. You 
cannot, however, save compound constraints as a set of search criteria. For more information, see 

If no intrusion events appear on the event views, adjusting the selected time range might return results. 
If you selected an older time range, events in that time range might have been deleted. Adjusting the rule 
thresholding configuration might generate events. 

Protection

A packet view provides information about the packet that triggered the rule that generated an intrusion 
event.

The packet view on a Defense Center does not contain packet information when the 

option 

is disabled for the device detecting the event.

The packet view indicates why a specific packet was captured by providing information about the 
intrusion event that the packet triggered, including the event’s time stamp, message, classification, 
priority, and, if the event was generated by a standard text rule, the rule that generated the event. The 
packet view also provides general information about the packet, such as its size.

In addition, the packet view has a section that describes each layer in the packet: data link, network, and 
transport, as well as a section that describes the bytes that comprise the packet. You can expand collapsed 
sections to display detailed information. 

Because each portscan event is triggered by multiple packets, portscan events use a special version of 
the packet view. See 

 for more information.

The following table describes the actions you can take on the packet view.