000037970 - Information Needed for Packet Parsing Issues in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Nov 5, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037970
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: NetWitness UI, Packet Decoder, RSA Live
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: 6, 7
TasksPlease provide the following information when reporting packet parsing issues in RSA NetWitness Platform:
  1. The version of RSA NetWitness you are running:
  2. Verify that you are running the latest version of the parser(s) in question:
    1. Navigate to the "parsers" directory through an SSH session of the Packet Decoder(s) in question: 

      # cd /etc/netwitness/ng/parsers
      # ll

    2. Navigate to RSA Live to find the parser(s) in question, using Steps 1-2 in either of the links below:
      1. Deploy Log Parsers in Security Analytics 10.x
      2. Deploy Log Parsers in NetWitness 11.x
    3. In either case, once you have found a parser, double click the parser search result. It will display a date and time in the "updated" field, which is when the latest version of the parser was released to RSA Live.
      • Check that the date of the parser file in question in /etc/netwitness/ng/parsers is equal to or after the date on which the parser was last updated in RSA Live.
    4. If the date of a parser file in question is prior to the date of when the parser was last updated in RSA Live, you will need to deploy the latest version of the parser in question: How to update a parser using RSA Live in RSA NetWitness
  3. A list of all parsers that are enabled on the Packet Decoder(s) in question:
    • Navigate to the "Parsers Configuration": in the UI as shown above and make a list of every parser that has a "Config Value" of "Enabled".
  4. Screenshots from the "Event Reconstruction" view of the logs in question displaying the issue
  5. An export of the pcaps in question - for more information on how to export events, review the following: Investigate: Export Events in the Events View
    • The pcaps can be uploaded directly into the case, the RSA SFTP site, or you can request a temporary FTP link from Support. 
NotesIf this does not solve your issue, please open a case with RSA Technical Support and reference this article so that we may better assist you.