How to use Traffic Forensics
Prerequisite(s):  
You must be connected to an Observer Apex or GigaFlow data source (see How to add a data source).
 
In Sites, Apps, Network, or UC dashboards, hover over the element you want to investigate, right-click and select Traffic Forensics (see Figure 47.
 
You should now be on the Traffic Forensics dashboard (see Figure 28).
 
 
When you select an element from one of the dashboards mentioned above, the filter comes with the element. For example, suppose you select CIFS/SMB (Figure 47). Figure 48 shows the CIFS/SMB filter applied on the Forensics dashboard.
 
Figure 47: Traffic Forensics via a dashbord element
 
 
Figure 48: Filter from widget element
 
Filters can also be applied from the Forensics dashboard for a single element (Figure 49) or the entire list of elements (Figure 50).
Note: Each filter you select shows in the filter bar at the top of the screen like the example in Figure 48.
 
Figure 49: Single element filter
 
 
Figure 50: Dashboard filter
 
Once you have chosen your filters, you can now begin narrowing in on the situation you would like to investigate.
Right-click the Drilldown icon on the row you want to investigate further, click Traffic Forensics (see Figure 47).
You can keep working your way down until you have completely isolated the element with the help of filters and drilling down. You can then use the information from Traffic Forensics to decide if you need to make any changes to your network to accomadate the situation or if it should be left as is.