000038378 - Possible missing packets at the beginning of a search in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Feb 11, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038378
Applies ToRSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 11.x
IssueWhy would you not see all packets that are captured within the time frame being searched but then see them after searching a few minutes earlier?

View of the beginning time frame from 10:00 to 10:10 AM, notice 10:02 AM packets are not there:
User-added image

View of additional packets from 10:00 AM to 10:10 AM in the time frame from 9:45 AM to 10:10 AM:

User-added image
ResolutionThe reason for this is that RSA NetWitness Platform tracks the time by sessions and not packets.  The data is collected and the packets are there but the search will be based on the beginning of the session time. Therefore, if packets were within a session that started before the beginning time frame searched, the packets may not show in the investigation.

The decoder uses the session key(consists of the ip.src, ip.dst, and port fields) to identify which packets are part of the same session.  If you see the same consecutive port in an earlier created packet, the packet is part of an earlier session.