Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000026663 - What is a 'session' in regards to RSA NetWitness?

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 3Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000026663
Applies To	RSA NetWitness NextGen RSA NetWitness NextGen 9.5 and above RSA NetWitness Decoder RSA NetWitness Hybrid RSA NetWitness Investigator
Issue	What is a 'session' in regards to RSA NetWitness?
Resolution	For UDP, packets from same source and destination IP/ UDP port pairs are assembled into a session until it hits some of the preconfigured limits such as timeouts, assembler.size.max, etc. For TCP, source and destination IP/TCP port pairs and TCP flags are used to to assemble a TCP session until it hits some of the preconfigured limits such as timeouts, assembler.size.max, etc. In decoder, there are several parameters in /decoder/config node that dictates sessions: assembler.size.max; assembler.timeout.session; assembler.timeout.packet; assembler.session.flush assembler.size.max: limit the size of the session assembled; assembler.timeout.session: specifies a time period to wait since last packet in the session before the session is considered ?completed?; it is used for all UDP and TCP traffic as well (decoder does not remove a TCP session when RST/FIN are encountered); if additional packets for the timed out session arrive later, a new session is created; assembler.timeout.packet: behaves the same as it always has, timing packets out of the packet pool and sending them to the database. This comes into play when line rates are sufficiently low that waiting for the packet pool to fill would introduce latency beyond the timeout duration. When the packet pool is full, the oldest packets are removed when new packets are received and assembler.timespan will be less then assembler.timeout.packet. Normal behavior is for a session to be parsed after a timeout is reached or it's forced out of the pool due to memory constraints. However, if the session is not finished, packets should continue to be chained to that session after parsing, assuming assembler.session.flush is set to 1 (not working prior to 9.6.5.8, NEX-1452). The session will not be reparsed, but viewing the session in wireshark or in Investigator's content view will show the full packet capture, up until the session size limit is reached or until no more packets are seen according to the session timeout settings in assember.timeout.session parameter. Setting session and packet timeouts to 0 will provide more accurate statistics, but the consequence is the session stays hidden in assembler longer, so this is not a good solution.
Notes	Refer to the knowledgebase articles Why are RSA NetWitness Investigator session size and packet count values inaccurate? and RSA NetWitness Investigator RDP session detailed view shows the session time as 60 seconds for issues relating to sessions in RSA NetWitness NextGen.
Legacy Article ID	a58897

Attachments

Outcomes

0 Comments

Recommended Content

Incoming Links

000013001 - RSA NetWitness Investigator RDP session detailed view shows the session time as 60 seconds
000026331 - Why are RSA NetWitness Investigator session size and packet count values inaccurate?