000026331 - Why are RSA NetWitness Investigator session size and packet count values inaccurate?

Document created by RSA Customer Support Employee on Jul 22, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000026331
Applies ToRSA NetWitness NextGen
RSA NetWitness Investigator
RSA NetWitness Broker
RSA NetWitness Concentrator
RSA NetWitness Hybrid
RSA NetWitness Decoder
RSA NetWitness Log Decoder
IssueWhy are RSA NetWitness Investigator session size and packet count values inaccurate?
Why are Investigator session size and packet count inaccurate, and sometimes grossly so?
Resolution

Short Answer:  Session size and packet count are estimates and cannot be treated as accurate.
Long Answer:  Session size and packet count for a session are written to the meta database at the same time all other meta is written ? at the time of session parsing. At this time, the numbers are accurate. However, sessions can stay in the packet capture pipeline longer and have more packets added (via chains). When this happens, the size and packet count are no longer accurate in the meta database. This happens more often on high capture rate deployments. In short, all you can say is the session size and packet count are at least as big as the value in the meta database. The true number could be much higher.
Indexing is accurate for session count in v9, however, that is not the case for session size and packet count.  Session size and packet count are only tracked at the summary level, not at the page level.  This means we track an aggregate number for chunks of about 2000 to 3000 sessions and calculate an estimate whenever the query refers to sessions in part of that particular chunk.
So, the first problem is the meta size written to disk can be on the low side, because of the packet capture pipeline issue. The second problem is the index will have to estimate the size because it only has an aggregate number for a range of sessions. Because of these 2 problems, the estimated numbers seen in Investigator at best need to be treated as low estimates.
Investigator v9 introduced a change concerning this and will display true session size in session content view. When displaying a session in content view, if you look in the header, it will calculate the true session size and packet count. When the calculated size does not match the meta database, the label changes to ?Calculated Payload Size? or ?Calculated Packet Size?. If you hover the mouse over the numbers, a tooltip will display with the numbers in the meta database, so you can see the difference.  If you don?t see ?Calculated? anywhere, then the numbers are accurate in the meta database. It's calculated because Investigator receives all packets at the time of the content call and can correctly calculate the session size despite what the meta says.
Also, please keep in mind that decoder has a Max Session Size setting. Once a session exceeds that number, it's truncated and a new session is created. However, there are packet capture settings that can cause different behavior in this scenario. Increasing decoder pool sizes can help keep the numbers accurate, but there's no guarantee.


Refer to the knowledge base articles What is a 'session' in regards to RSA NetWitness? and RSA NetWitness Investigator RDP session detailed view shows the session time as 60 seconds for additional details.

Legacy Article IDa58854

Attachments

    Outcomes