|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Security Analytics Investigation, Security Analytics Decoder
RSA Version/Condition: 10.x,11.x
O/S Version: EL6/EL7
|Issue||RSA NetWitness Investigation RDP session detailed view shows the session time as 60 seconds.|
When viewing an RDP session in RSA NetWitness Investigation, the session time duration for the RDP session is showing at around 60 seconds, even though the actual RDP session is much longer.
This is a tradeoff in design, not a bug.
In decoder, there is a /decoder/config/assembler.timeout.packet (also /decoder/config/assember.timeout.session) parameter which is set to 60 seconds by default. This is intended to time the packets out of the packet pool and force session assembly/parsing activity and write the session to the database; the lifetime meta will always reflect the session lifetime at the time of parsing (~60 secs default). This comes into play when line rates are sufficiently low that waiting for the packet pool to fill would introduce latency beyond the timeout duration. When the packet pool is full, the oldest packets are removed when new packets are received and assembler.timespan will be less then assembler.timeout.packet.
You can adjust pool sizes and timeouts larger, but the consequence is the session stays hidden in assembler longer, so this is not a good solution.
|Notes||See the knowledgebase articles What is a 'session' in regards to RSA NetWitness? and Why are RSA NetWitness Investigator session size and packet count values inaccurate? for additional details on assembler.timeout.session; assembler.timeout.packet and assembler.size.max parameters in a decoder /decoder/config node.|
|Legacy Article ID||a58898|