|Applies To||This article applies to all versions of the RSA NetWitness Platform.|
For UDP, packets from same source and destination IP/ UDP port pairs are assembled into a session until it hits some of the pre-configured limits such as timeouts, assembler.size.max, etc.
For TCP, source and destination IP/TCP port pairs and TCP flags are used to to assemble a TCP session until it hits some of the pre-configured limits such as timeouts, assembler.size.max, etc.
In decoder, there are several parameters in /decoder/config node that dictates sessions:
assembler.size.max; assembler.timeout.session; assembler.timeout.packet; assembler.session.flush
assembler.size.max: limit the size of the session assembled;
assembler.timeout.session: specifies a time period to wait since last packet in the session before the session is considered ?completed?; it is used for all UDP and TCP traffic as well (decoder does not remove a TCP session when RST/FIN are encountered); if additional packets for the timed out session arrive later, a new session is created;
Setting session and packet timeouts to 0 will provide more accurate statistics, but the consequence is the session stays hidden in assembler longer, so this is not a good solution.
|Notes||Refer to the knowledge base articles Why are RSA NetWitness Investigator session size and packet count values inaccurate? and RSA NetWitness Investigator RDP session detailed view shows the session time as 60 seconds for issues relating to sessions in the RSA NetWitness Platform.|
|Legacy Article ID||a58897|