The reality of PCAPs (packet capture) are that they're time consuming to create. Several laborious steps are involved:

• Finding a platform that's in-path and capable of hosting a PCAP application (if there even is one)
• Executing the PCAP
• Moving the file to a system to analyze - and these files can be very large. This may involve the additional step of deploying SFTP or SCP capable applications on both sides of the transfer

The net result of all this overhead is that typically I don't use them unless there's no other choice. It was transformative in the Black Hat USA 2025 NOC to be able to take any observable that correlates to a system and simply right click it from the Firepower Management Center (FMC) using the 'Endace PCAP Pivot' option, to a richly featured packet analysis platform, which includes a Wireshark integration. The net result is that I used packet-level analysis 99% more often to tremendous effect in my SOC analyst investigations.

"I used packet-level analysis 99% more often to tremendous effect in my SOC analyst investigations."

This workflow allowed me to instantly access the exact packet-level data related to the observable. Instead of relying solely on metadata or logs, I can view the definitive network traffic, including payloads, timestamps, and session details, which provides comprehensive context for my investigations. This direct pivot accelerates my workflow by eliminating manual correlation steps and reducing the time it takes to validate threats through more indirect means.

Once I've pivoted to Endace Vision from the FMC, I gain the ability to perform back-in-time forensic analysis on the captured network traffic associated with the observable, moving from one-click into a high-level traffic composition analysis. There's additional analysis available here, but this is the Endace Vison aspect that's relevant to this investigation.

This means I can reconstruct the full sequence of events leading up to, during, and after the alert, uncovering hidden attack vectors that might not be evident from alert data alone. The integration also supports real-time and historical traffic analysis, allowing me to correlate live threat intelligence with past network activity. This holistic view enhances my threat hunting and incident response capabilities, enabling more accurate root cause analysis and ultimately faster containment of security incidents.

Pivoting from FMC to Endace Vision streamlines my SOC workflows by tightly coupling alerting and evidence collection within a single operational environment. A single click allowed me to pivot into a Wireshark packet level analysis for my investigation.

I could drill down from high-level alerts in the Firepower Management Center directly into Endace Vision's packet-level interface without switching tools. This seamless transition reduces operational friction, allowing me to respond to threats with a precise immediacy that isn't available without it. The integration also supports automated workflows and enriches alert data with definitive packet evidence, improving the overall efficacy of my security investigations, that took moments, not hours, to enable packet detailed analysis.

I look forward to using this capability in other Security Operation Centers. Check out my blog series on other SOC work.

About Black Hat

Black Hat is the cybersecurity industry's most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia. For more information, please visit the Black Hat website.

We'd love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram
X