Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Decoder: Flex Parser

Document created by RSA Information Design and Development Employee on Sep 13, 2017Last modified by RSA Information Design and Development Employee on Jan 6, 2021
Version 27Show Document
  • View in full screen mode

There are two kinds of Flex parsers:

  • Service identification based solely on port. These are parsers that use only the source or destination ports to identify the session application type (service). These are the most basic and easiest to define.
  • Service identification based on a found token(s). These parsers use tokens to identify the service type. This is also an easy way to expand which service types are identified. These are important when identifying non‐internet standard applications. These parsers require that the protocol has a definable token that can uniquely identify the service type.

Five common parser operations are: 

  • Match Port and Identify Immediately
  • Match Port and Delay Identification
  • Match Token and Identify Immediately
  • Match Multiple Tokens
  • Match Token and Create Metadata 

Detailed language information and samples are provided in this topic. This topic describes the XML schema used to define a FlexParse file. The SML node, attribute, and values referenced in descriptive text are bold. The root node of every file must be the parsers node. Under that node there can be any number of parser nodes. Each parser node defines a single parser. A parser node can have an optional declaration node and any number of match nodes.



You are here
Table of Contents > Configure Parsers and Feeds > Configure Parsers > Flex Parser