A SOC analyst receives an IDS alert at 14:23. By 14:47 they have a packaged, chain-of-custody evidence bundle โ without moving a single packet off the capture server. This is how Sentinel, Lynx, and Quarry work together on a single node.
14:23:15 UTC โ IDS Alert
๐จ ET MALWARE Zeus Bot POST Request
sid:2014818 ยท 192.168.1.100 โ 185.234.72.19:80
Signature match on outbound POST to known C2 endpoint. Severity: HIGH.
Sentinel has been recording eth0, eth1 continuously for 14 days.
The packet that triggered this alert โ and everything before it โ is already on disk.
The analyst's job now: confirm the infection, understand the scope, isolate the evidence, and loop in a second analyst โ all without disrupting live capture or touching the raw files directly.
Eight steps. One server. No data movement.
Before anything else, confirm the capture daemon has been recording through the incident window. SSH to the capture server and check status.
$ sentinel status Sentinel Daemon Status โ 2026-02-27 14:23:44 State Running Uptime 14d 3h 22m Interfaces eth0, eth1 Captures 3 (1 recording, 2 complete) Clients 0 connected CPU 12% Memory 48 / 128 GB (37%) Disk 2.1 / 8.0 TB (26%)
14 days of continuous capture on both interfaces. The Zeus Bot traffic at 14:23:15 is on disk. Start Lynx.
Lynx is remote-first โ it runs on your laptop but all packet data stays on the server. Open a connection directly to the live capture session. No download. No copy. Just pixels.
$ lynx analyst@capture-server:capture_20241211_143022.pcapng
Lynx opens and immediately shows the live, growing capture. The status bar reads โ CAPTURING eth0, eth1 ยท Packets: 1,247,892 ยท 1,204 pps. The alert marker for the Zeus Bot signature is already visible inline โ injected by Sentinel at the moment the IDS rule fired.
The alert doesn't appear in a separate panel โ it's inline in the packet list, anchored to the exact packet that triggered it. The analyst sees the surrounding traffic immediately: what came before, what followed, which flows were active.
โ ALERT: Zeus Bot Checkin sid:2014818 ยท 192.168.1.100 โ 185.234.72.19:80 ET MALWARE Zeus Bot POST Request [ View Packets ] [ Add to Watchlist ] [ Dismiss ] โโ Flow start TCP 192.168.1.50:52847 โ 10.0.0.1:443 ยท TLS handshake expected โโ 4 14:23:15.234 172.16.0.10 185.234.72.19 HTTP 121 GET / HTTP/1.1 5 14:23:15.324 10.0.0.1 185.234.72.19 UDP 1488 Length: 56 ... โโ TLS handshake complete TLS 1.2 ยท ECDHE-RSA-AES256-GCM-SHA384 โโ
The flow markers โ Flow start, TLS handshake complete, Flow end โ give the analyst narrative structure without needing to manually reconstruct the TCP sequence. Click View Packets on the alert to jump directly to the suspicious POST.
Click on packet 14 (the POST to /gate.php). The Related panel on the right populates instantly โ no query, no filter needed.
Related Packets โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ Same Flow Packets 1-13, 18-20 (TCP flow) Same Source IP 192.168.1.100 Packets 14, 15 Same Destination 185.234.72.19 Packets 14, 15 Flow Info Duration 0.100s Packets 2 Bytes 699 State Suspicious
192.168.1.100 appears in only 2 packets to this destination โ this is a targeted POST, not a scan. The 0.1s duration and 699-byte payload suggests a credential or beacon payload, not bulk data transfer. Add a bookmark: Ctrl+B โ "Initial C2 beacon โ Zeus Bot".
The bottom panel shows the full protocol decode for the selected packet. No separate window, no export to Wireshark needed.
โผ Frame 14
Interface id: 0 (eth0)
Arrival Time: Dec 11, 2024 14:23:15.100000000
โผ Ethernet II
Destination: 00:1a:2b:3c:4d:5e
Source: 00:5e:4d:3c:2b:1a
โผ Internet Protocol Version 4
Source Address: 192.168.1.100
Destination Address: 185.234.72.19
TTL: 64
โผ Transmission Control Protocol
Source Port: 49152
Destination Port: 80
Flags: 0x018 (PSH, ACK)
โผ Hypertext Transfer Protocol
Request Method: POST
Request URI: /gate.php
Host: 185.234.72.19
POST /gate.php to a bare IP on port 80 with PSH+ACK. Classic Zeus Bot beacon structure. Switch to Expert Info tab โ Lynx flags this flow as Suspicious based on the combination of the IDS signature and the protocol anomalies.
The full capture is 2.1 TB. The analyst needs a focused, shareable slice covering 30 minutes around the incident โ without copying 2.1 TB anywhere. Quarry creates a virtual projection: a real file path that Wireshark, tcpdump, or any PCAP-aware tool can open, backed by the original volume with zero duplication.
$ quarry project \
--volume /captures/capture_20241211_143022.pcapng \
--from 14:00:00 \
--to 14:30:00 \
--filter "ip.addr == 192.168.1.100 or ip.addr == 185.234.72.19" \
--encrypt level 10 \
--output /silos/incident-INC-2024-1217/evidence.pcapng
Projection created:
Source 2.1 TB (capture_20241211_143022.pcapng)
Window 14:00:00 โ 14:30:00
Filter ip.addr == 192.168.1.100 or ip.addr == 185.234.72.19
Security Level 10
Virtual /silos/incident-INC-2024-1217/evidence.pcapng
Size 0 bytes (virtual โ no data copied)
Packets ~4,200 (estimated)
Any analyst, SIEM, or forensic tool can now open evidence.pcapng as if it were a normal file. No storage overhead. No waiting for a copy. The original capture continues recording uninterrupted.
The analyst shares the session URL with a senior analyst. Lynx supports real-time multi-user collaboration โ both analysts see the same packet list, the same bookmarks, and can add comments directly to packets.
$ lynx sarah@capture-server:capture_20241211_143022.pcapng -- Joining shared session (1 viewer already connected) --
The status bar now reads 2 viewers. Analyst 2 can see analyst 1's cursor position, all bookmarks, and the Comments tab shows a running thread:
Comments โ Packet 14
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
mark 14:31 "POST /gate.php to bare IP โ Zeus beacon.
Check INC-2024-1217. Evidence window created."
sarah 14:33 "Confirmed. Same signature on 192.168.1.105 โ
check packets 847-851. Second infected host."
Sarah has already found a second infected host in the same capture โ something that would have required a separate Wireshark session and a manual file transfer in a traditional workflow.
With the scope confirmed โ two infected hosts, one C2 endpoint, beacon payloads captured โ the analyst exports a complete evidence package. The virtual projection, bookmarks, comments, and audit log are bundled together.
$ lynx export \
--session INC-2024-1217 \
--include bookmarks comments audit-log \
--evidence /silos/incident-INC-2024-1217/evidence.pcapng \
--output /exports/INC-2024-1217-bundle.zip
Exporting:
evidence.pcapng (virtual, 4,218 packets)
bookmarks.json (3 bookmarks)
comments.json (6 analyst comments)
audit.log (full chain-of-custody log)
Bundle: /exports/INC-2024-1217-bundle.zip
Time: 14:47:03 UTC (24 min after initial alert)
The bundle is ready for IR escalation, legal hold, or compliance reporting. The original 2.1 TB capture continues recording. No packets were moved. No files were duplicated. Sentinel keeps running.
Running continuously for 14 days before the alert fired. The evidence existed the moment the IDS triggered โ no scramble to start a capture after the fact.
Remote-first connection meant no data left the server. Inline alert markers, flow boundaries, and the Related panel collapsed a multi-hour Wireshark investigation into minutes.
Virtual projection created a focused, shareable evidence file from 2.1 TB in seconds โ with zero storage overhead and zero disruption to live capture.
The second analyst joined live and found a second infected host in the same session. In a traditional workflow that discovery would have happened hours later โ or not at all.
Alert at 14:23. Evidence packaged at 14:47.
Two infected hosts identified. Zero packets moved. One server. Available today.
Persistent capture daemon. Always recording. Serves multiple analysts simultaneously.
Learn MoreWe'll walk through the full incident response sequence with your own traffic.