Corelight Smart PCAP is a selective packet capture solution that links Zeek logs, detections, and extracted files to captured network packets. The product captures only relevant packets based on configurable rules rather than storing full packet captures, extending lookback windows by up to 10x compared to full PCAP storage. The solution operates through Corelight Sensors deployed in the network environment. Analysts can configure capture rules at adjustable byte-depths based on triggers including alerts, protocol type, and encryption status. The system supports multiple storage options including Corelight hardware, customer-provided hardware, or cloud storage via Amazon S3. Smart PCAP embeds PCAP URLs directly in connection logs, enabling analysts to retrieve packets with one-click access from their SIEM or Corelight Investigator. Retrieved packets open in Wireshark for analysis. The product can be configured to capture packets for all connections not already captured via Corelight logs, and can capture the first 2,000 bytes of all unencrypted traffic. The selective capture approach reduces storage requirements while maintaining network visibility by providing evidence for every connection through Corelight logs, captured packets, or both. The sensor management console provides centralized control for creating and managing capture rules across the deployment.