|Applies To||RSA NetWitness NextGen|
RSA NetWitness NextGen 9.5 and above
RSA NetWitness Decoder
RSA NetWitness Hybrid
RSA NetWitness Investigator
|Issue||What is a 'session' in regards to RSA NetWitness?|
For UDP, packets from same source and destination IP/ UDP port pairs are assembled into a session until it hits some of the preconfigured limits such as timeouts, assembler.size.max, etc.
For TCP, source and destination IP/TCP port pairs and TCP flags are used to to assemble a TCP session until it hits some of the preconfigured limits such as timeouts, assembler.size.max, etc.
In decoder, there are several parameters in /decoder/config node that dictates sessions:
assembler.size.max; assembler.timeout.session; assembler.timeout.packet; assembler.session.flush
assembler.size.max: limit the size of the session assembled;
assembler.timeout.session: specifies a time period to wait since last packet in the session before the session is considered ?completed?; it is used for all UDP and TCP traffic as well (decoder does not remove a TCP session when RST/FIN are encountered); if additional packets for the timed out session arrive later, a new session is created;
Setting session and packet timeouts to 0 will provide more accurate statistics, but the consequence is the session stays hidden in assembler longer, so this is not a good solution.
|Notes||Refer to the knowledgebase articles Why are RSA NetWitness Investigator session size and packet count values inaccurate? and RSA NetWitness Investigator RDP session detailed view shows the session time as 60 seconds for issues relating to sessions in RSA NetWitness NextGen.|
|Legacy Article ID||a58897|