000017620 - How to find the RSA NetWitness NextGen database files on decoders and concentrators that contain a particular session

Document created by RSA Customer Support Employee on Jan 11, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017620
Applies ToRSA NetWitness NextGen
RSA NetWitness Decoder
RSA NetWitness Log Decoder
RSA NetWitness Concentrator
RSA NetWitness Broker
RSA NetWitness Administrator
RSA Security Analytics
IssueHow to find the RSA NetWitness NextGen database files on decoders and concentrators that contain a particular session.
Resolution

The instructions below outline how you can find the database files containing a particular NetWitness Session in concentrator and decoder appliances.  In the examples below, assume that RSA NetWitness Investigator is connected to a broker which connects to concentrator(s) and decoder(s) and that a session with SessionID = 2171347267 is seen in the session content view.


( NOTE:  If the session you wish to locate is found while performing investigations on the concentrator directly, Task 1 below may be skipped. )


 


Task 1:  Look up which concentrator stored the session and the concentrator's corresponding Session ID.


  1. Navigate to the Explore view of the broker against which the investigation took place in RSA NetWitness Administrator.  This can be done by right-clicking on the appliance and selecting Explorer.
  2. Right-click on the sdk node and select Properties.
  3. In the lower pane, select deviceID from the drop down menu.
  4. In the Parameters field, type session=<sessionID> where <sessionID> is the Session ID that you wish to locate.  In this example, session=2171347267 would be entered.
  5. Click on the Send button.
  6. Examine the Response Output window for output that appears similar to the following:
         [device: 10.25.53.21:50005
         session: 431421651 ]

The information provided from the steps above will provide the IP address of the concentrator (which is 10.25.53.21 in this example) and the corresponding Session ID on that appliance.


 


Task 2:  Look up the session and meta database files for a particular session on the concentrator appliance.


  1. Navigate to the Explore view of the concentrator identified in the previous section.  This can be done by right-clicking on the appliance and selecting Explorer.
  2. Right-click on the database node and select Properties.
  3. In the lower pane, select dump from the drop down menu.
  4. In the Parameters field, type session=<sessionID> type=db where <sessionID> is the Session ID you wish to locate.  In this example, session=431421651 type=db would be entered.
  5. Click on the Send button.
  6. Examine the Response Output window for output that appears similar to the following:
         [ SessionData=1
         dbFile=/var/netwitness/concentrator/sessiondb/session-000000161.nwsdb ]
         [ session.id=431421651 appType=0 created="12/31/1969 19:00:00" dataSize=19142
         payloadSize=16610 metaId1=12483613159 metaID2-12483613256 packetId1=0 packetId2=0
         packetCount=38flags=keep,assemble,appmeta,netmeta,parsed,2sided,side1client, ]
         [ MetaArray=98 dbFile=/var/netwitness/concentrator/metadb/meta-000000304.nwmdb ]
         .....

The information dsiplayed from the steps above will provide the following information:


  • The filename of the sessiondb file on the concentrator.  In this example, the filename is /var/netwitness/concentrator/sessiondb/session-000000161.nwsdb.
  • The filename of the metadb file on the concentrator.  In this example, the filename is /var/netwitness/concentrator/metadb/meta-000000304.nwmdb.

 


Task 3:  Look up which decoder stored the session annd the decoder's corresponding Session ID.


  1. Navigate to the Explore view of the concentrator against which the investigation took place in RSA NetWitness Administrator.  This can be done by right-clicking on the appliance and selecting Explorer.
  2. Right-click on the sdk node and select Properties.
  3. In the lower pane, select deviceID from the drop down menu.
  4. In the Parameters field, type session=<sessionID> where <sessionID> is the Session ID that you wish to locate.  In this example, session=431421651 would be entered, which is the same Session ID that was entered during Task 2.
  5. Click on the Send button.
  6. Examine the Response Output window for output that appears similar to the following:
         [device: 10.25.53.13:50004
         session: 107235453 ]

The information provided from the steps above will provide the IP address of the decoder (which is 10.25.53.13 in this example) and the corresponding Session ID on that appliance.


 


Task 4:  Look up the session and meta database files for a particular session on the decoder appliance.


  1. Navigate to the Explore view of the concentrator identified in the previous section.  This can be done by right-clicking on the appliance and selecting Explorer.
  2. Right-click on the database node and select Properties.
  3. In the lower pane, select dump from the drop down menu.
  4. In the Parameters field, type session=<sessionID> type=db where <sessionID> is the Session ID you wish to locate.  In this example, session=107235453 type=db would be entered.
  5. Click on the Send button.
  6. Examine the Response Output window for output that appears similar to the following:
         [ SessionData=1 dbFile=/var/netwitness/decoder/sessiondb/session-000000055.nwsdb ]
         [ session.id=107235453 appType=0 creaed="8/02/2012 16:10:40" updated="8/02/2012 16:10:41"
         packetSize=19142 payloadSize=16610 metaId1-2992639921 metaId2=2992640016 packetId1=14950963933
         packetId2=14950977483 packetCount=38 flags=keep,assemble,appmeta,netmeeta,parsed,2sided,side1client, ]

         [ MetaArray=96 dbFile=/var/netwitness/decoder/metadb/meta-000000085.nwmdb ]

         .....
         [ PacketArray=38 dbFile=/var/netwitness/decoder0/packetdb/packet-000001963.nwpdb ]
         .....

The information displayed from the steps above will provide the following information:


  • The filename of the sessiondb file on the decoder.  In this example, the filename is /var/netwitness/decoder/sessiondb/session-000000055.nwsdb.
  • The filename of the metadb file on the decoder.  In this example, the filename is /var/netwitness/decoder/metadb/meta-000000085.nwmdb.
  • The filename of the packetdb file on the decoder.  In this exmaple, the filename is /var/netwitness/decoder0/packetdb/packet-000001963.nwpdb.

 


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Notes

The steps above may also be performed in the RSA Security Analytics UI by navigating to the Explore view for the appropriate appliances, following the steps below.


  1. In the Security Analytics UI, navigate to Administration -> Devices.
  2. Select the appropriate device and click on View -> Explore.
 

The table below displays the file extensions for each database file.


 Appliance Database Extension
 Decoder / Log Decoder packetdb .nwpdb
  metadb .nwmdb
  sessiondb .nwsdb
 Concentrator metadb .nwmdb
  sessiondb .nwsdb

 

NOTE:  For any given session, the decoder, concentrator, and broker maintain their own Session IDs, which may be different.

Legacy Article IDa59812

Attachments

    Outcomes