# Network Monitoring

Use Replica's Network Monitoring features to inspect traffic from a virtual environment.

Replica supports two monitoring modes:

* DNS and URL logging
* Packet capture

DNS and URL logging is enabled by default. If you enable packet capture, Replica writes traffic to a `.pcap` file inside the environment instead.

You can also reassign environments after monitoring is enabled.

## DNS and URL Logging

DNS and URL logging captures requested destinations by analyzing network packets.

For HTTP traffic, Replica reads the `Host` header. For HTTPS traffic, it extracts the domain during the TLS handshake.

To review these logs, open the running environment's actions menu and select **View Network Traffic**.

| Name                       | Description                                                   |
| -------------------------- | ------------------------------------------------------------- |
| @timestamp                 | Timestamp of the network event                                |
| host.id                    | Replica-generated unique virtual environment ID               |
| host.name                  | User-provided virtual environment name                        |
| host.hostname              | The hostname of the Virtual Environment                       |
| host.namespace             | The Kubernetes namespace of the Virtual Environment           |
| host.ip                    | The internal IP address of the Virtual Environment            |
| host.type                  | The Virtual Environment OS type (e.g., linux)                 |
| source.ip                  | The source IP address of the network traffic                  |
| source.port                | The source port number of the network traffic                 |
| destination.ip             | The IP address of external system                             |
| destination.port           | The port number of external system                            |
| destination.address        | The domain name of external system specified in HTTP traffic  |
| network.transport          | The transport protocol (e.g., tcp, udp)                       |
| frame.protocols            | The protocol stack of the captured packet                     |
| frame.time\_epoch          | The epoch time of the captured frame                          |
| frame.length               | The length of the captured frame in bytes                     |
| dns.type                   | The type of DNS query (query or response)                     |
| dns.question.name          | The domain name queried                                       |
| dns.question.type          | The type of DNS question (e.g., A, AAAA, CNAME)               |
| dns.response.name          | The domain name in the DNS response                           |
| dns.resolved\_ip           | The resolved IP address from DNS response                     |
| dns.cname                  | The canonical name from DNS response                          |
| dns.nameserver             | The nameserver that handled the DNS query                     |
| http.request.method        | The HTTP request method (e.g., GET, POST)                     |
| http.request.uri           | The HTTP request URI path                                     |
| http.host                  | The HTTP host header value                                    |
| http.response.status\_code | The HTTP response status code                                 |
| http.user\_agent           | The HTTP User-Agent header value                              |
| tls.client.server\_name    | The domain name of external system specified in HTTPS traffic |
| tls.handshake.type         | The type of TLS handshake message                             |
| event.kind                 | The kind of event (e.g., event, alert)                        |
| event.provider             | The provider of the event (e.g., tshark)                      |
| event.dataset              | The dataset identifier for the event                          |
| tags.creatorId             | The user ID who created the environment                       |

## Packet Capture

Use packet capture for deeper traffic analysis in Wireshark.

### Enable Packet Capture

Enable **Packet Capture** in **Advanced Options** when you create the virtual environment.

### Access Packet Captures

If packet capture is enabled, Wireshark is installed automatically.

Open the `.pcap` file in the `pcap` folder on the virtual environment desktop.

### Packet Capture Content

Packet captures include IP addresses, ports, protocols, and bytes transferred.

Use [Discover](/admin-guide/logging.md#discover) to view, search, and export packet logs.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.replicacyber.com/admin-guide/network-monitoring.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.