|Applies To||RSA Product Set: RSA NetWitness Platform|
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 11.x
|Issue||Why would you not see all packets that are captured within the time frame being searched but then see them after searching a few minutes earlier?|
View of the beginning time frame from 10:00 to 10:10 AM, notice 10:02 AM packets are not there:
View of additional packets from 10:00 AM to 10:10 AM in the time frame from 9:45 AM to 10:10 AM:
|Resolution||The reason for this is that RSA NetWitness Platform tracks the time by sessions and not packets. The data is collected and the packets are there but the search will be based on the beginning of the session time. Therefore, if packets were within a session that started before the beginning time frame searched, the packets may not show in the investigation.|
The decoder uses the session key(consists of the ip.src, ip.dst, and port fields) to identify which packets are part of the same session. If you see the same consecutive port in an earlier created packet, the packet is part of an earlier session.