Now one of the hottest products around, in this arena is NetWitness.
"NetWitness Investigator is the award-winning interactive threat analysis application of the NetWitness NextGen product suite. Investigator provides security operations staff, auditors, and fraud and forensics investigators the power to perform unprecedented free-form contextual analysis of raw network data."
NetWitness has a product called SIEMLink, that can be used with your NetWitness setup to interface with MARS.
Simply install the SIEMLink product, and browse the MARS interface. Anywhere where we see ip address information, ie, in an incident, you can highlight the ip, and send to the NetWitness product, and reconstruct the traffic.
I actually did a demonstration of this a few months ago in London, as apart of an ASA Botnet Demo you can see the process here.
I should also mention, you can do this with not only MARS. I have personally done this with Palo Alto, QRadar, and Lancope.
NetWitness also provide a free edition to the community, I would seriously recommend to check this out, if its of Interest to you.
You can see some YouTube videos here on NetWitness in action, well worth 5 minutes of your time.
Further news on the upcoming NetWitness v9.5 have just been released, if you are interested......
One of the most compelling areas they have been working on is in content extraction, for the extraction and analysis of malware, and collection of certain types of content, such as executables, PDF Files etc..
And for enterprise customers, NetWitness Visualize, is a great new feature of Informer 2.0
A YouTube video of the new version is here, and a demonstration site of the cool new Virtualize features can be accessed here.