Decoder: Services Config View - General Tab

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Oct 11, 2017
Version 6Show Document
  • View in full screen mode
 

The General tab for a Decoder in the Services Config view provides a way to manage basic service configuration, configure data capture, and select the parsers that are applied to the captured data. To access the General tab, go to ADMIN > Services > select a Decoder or Log Decoder and click The actions drop-down > View > Config > General tab.

Workflow

The following figure depicts common Decoder configuration tasks with the steps you can complete in this view highlighted.

Decoder configuration workflow, with Configure Capture Settings, and Enable and Disable Parsers hightlighted

What do you want to do?

                                 
User RoleI want to...Documentation
Administratorconfigure capture settings* Configure Capture Settings
Administratormanage parsers and log parsers* Enable and Disable Parsers and Log Parsers

Administrator

start and stop data capture

Start and Stop Data Capture

Administrator configure rules Configure Decoder Rules

*You can complete these tasks here.

Related Topics

Quick Look

The first figure is an example of the General tab for a Decoder. The second is the General tab for a Log Decoder.

This is the General tab for a Decoder.

Services Config View - Log Decoder

                     
1System Configuration - Manages service configuration for a Decoder.
2Decoder Configuration or Log Decoder Configuration - Lets you view and edit service configuration parameters for a Decoder or Log Decoder.
3Parsers Configuration - Lets you select parsers to use on the Decoder.
4Service Parsers Configuration (Log Decoders only) - Lets you select service parsers to use on the Log Decoder.

System Configuration Section

The System Configuration section manages service configuration for a Decoder. When a service is first added, default values are in effect and should be changed only in special circumstances, for example, if Customer Support advises a change.

This is the System Configuration section.

The System Configuration section has these parameters.

                                   
ParameterDescription
Compression The minimum number of bytes that must be transmitted per response before compression. A setting of 0 disables compression. The default value is 0.
A change in value is effective immediately for all subsequent connections.
Port Determines the port used by the service.

Note: If you change the port number, ensure that you restart the service.

SSL FIPS mode If enabled, all the data transferred in the network will be encrypted using SSL.
SSL Port Indicates the port used for encrypting using SSL.
Stat Update Interval The number of milliseconds between statistic updates on the system. Lower numbers cause more frequent updates and can slow down other processes. The default value is 1000.
A change in value is effective immediately.
Threads The number of threads in the thread pool to handle incoming requests. A setting of 0 lets the system decide.
A change takes effect on service restart.

Decoder Configuration Section

The Decoder Configuration section provides a way to view and edit service configuration parameters for a Decoder or Log Decoder. When a service is first added, default values are in effect. You can edit these values to manage traffic capture.
This is the upper part of the Decoder Configuration section.

Scrolling to the bottom of the section reveals these additional Decoder Configuration parameters.

This is the lower part of the Decoder Configuration section.

Adapter Section

Adapter parameters configure the network interface for capture as described in Configure Capture Settings.

Cache Section

Cache parameters configure the cache directory and size for session cache files. The following table describes the cache settings. When a service is first added, default values are in effect and should be changed only in special circumstances, for example, if Customer Support advises a change.

                   
Cache ParameterDescription
Cache Directory The directory where session cache files are stored. The default value is /var/netwitness/decoder/cache. Change takes effect immediately.
Cache Size The maximum size, in Megabytes (MB), that all files in the cache directory can attain before the oldest files are deleted. Once the threshold is reached, the cache size is reduced by 10%. The default value is 4 GB. Change takes effect immediately.

Capture Settings Section

The Capture Settings section provides a way to configure operational capture settings. When a service is first added, default values are in effect and should be changed only in special circumstances, for example, if Customer Support advises a change.

                                                       
Capture Settings ParameterDescription
Assembler Maximum Size Specifies the maximum size in bytes that a session’s packet data size can attain. The default value is 32 MB. Change takes effect immediately.
Assembler Minimum Size Specifies the minimum size in bytes that a session must have in order to generate metadata. A value of 0 means every session has metadata generated. The default value is 0. Change takes effect immediately.
Assembler Session Flush Specifies whether a session is removed from the assembler when the session’s last chain is removed from the assembler. The default value is 1.
  • 2 = if the first packet of a session times out of assembler, the session is removed from assembler after parsing is complete. Any subsequent packets for this session create a new session in assembler.
  • 1 = If the last chain of a session times out of assembler, the session is removed from assembler. Any subsequent packets for this session create a new session in assembler.
  • 0 = If the last chain of a session times out of assembler, the session is left in assembler until it times out. Any subsequent packets for this session are filtered
Change takes effect on service restart.
Assembles Session Pool Specifies the number of entries in the session pool. The default value is 350000. Change takes effect on service restart.
Assembler Timeout Packets Specifies the number of seconds before a packet or chain is timed out. T default value is 60. Change takes effect immediately.
Assembler Timeout Session Specifies the number of seconds before a session is timed out. Default value is 60. Change takes effect immediately.
Capture Autostart Specifies whether capture begins automatically each time Decoder is started. When checked, the value = yes. When unchecked, the value = no. The default value is no. Change takes effect immediately.
Capture Buffer Size The capture memory buffer allocation in Megabytes. Default value is 64 MB. Change takes effect on service restart.
Parse Maximum Bytes The maximum number of bytes to scan a stream for additional tokens. When the first token is found, the stream is scanned up to the set number of bytes, but no further. A setting of 0 removes the early termination and the full stream is scanned regardless of size. The default value is 128 KB. Change takes effect immediately.
Parse Minimum Bytes The minimum number of bytes to scan a stream for the first token. If no token is found within the set number of bytes, scanning is terminated. A setting of 0 removes the early termination and the full stream is scanned regardless of size. The default value is 1 KB. Change takes effect immediately.
Parse Threads The number of parse threads to use for session parsing. A value of 0 means let the server decide. The default value is 0. Change takes effect on service restart.

Database Max File Sizes Section

The Database Max File Sizes section controls the maximum file size for various databases. When a service is first added, default values are in effect and should be changed only in special circumstances, for example, if Customer Support advises a change.

                       
File Size ParameterDescription
Meta File Size The maximum size of meta database files in Megabytes. The default value is 10 MB. Change takes effect on service restart.
Packet File Size The maximum size of packet database files in Megabytes. The default value is 10 MB. Change takes effect on service restart.
Session File Size The maximum size of session database files in Megabytes. The default value is 100 MB. Change takes effect on service restart.

Hash Section

The Hash section settings control data base file hashing options. There is a small performance penalty when hashing.

               
Hash ParameterDescription
Hash Directory The server directory where all hash files are written. If empty, each hash file is written to the same directory as the file being hashed. The default value is blank. Change takes effect on service restart.

Parsers Configuration Panel

The Parsers Configuration panel provides a way to select parsers to use on the Decoder. Within some parsers, you can also configure the metadata that the parser creates. See Enable and Disable Parsers and Log Parsers for detailed information and procedures.

This is the Parsers Configuration section.

Service Parsers Configuration Section for Log Decoder

The Service Parsers Configuration section provides a way to select Service parsers to use on the Log Decoder.

This is the Service Parsers Configuration section.

You are here
Table of Contents > Decoder and Log Decoder References > Services Config View - General Tab

Attachments

    Outcomes