In the Events view and the New Events view - Reconstruction panel (Investigate > Events panel > click an event), you can safely view a reconstruction of an event of interest that you found in the Navigate view or the Events panel.
- How NetWitness Investigate Works
- Conducting an Investigation
- Analyze Events in the Event Analysis View
- Navigate View
- Event Analysis View - Text Analysis Panel
The Investigate Reconstruction panel displays a reconstruction of a single event in Packet View, File View, and Text View. When you click an event in the Events panel, the adjacent Reconstruction panel shows the packet reconstruction of the event. You can use the options in the Event Reconstruction toolbar to change the reconstruction type and direction (request or response), to hide or display the header panel, and to expand, contract, and close the Event Reconstruction panel. Depending on the reconstruction type selected and the contents of the payload, additional options are available. For example, you can display the payload only in the Text View, download files in the Files View, and download PCAP files in the Packet View.
Below is an example of a packet Reconstruction.
|1||Tabs or drop-down menu to select the reconstruction type: packet view, file view, text view. The currently selected type is displayed in the label.|
|2||Click to hide or show the header panel.|
|3||Click these icons to display the Request, Response, or both.|
|4||Click this icon to show or hide the Event Meta panel, which provides a detailed listing of meta data associated with the event..|
|5||An option to expand or contract the Reconstruction panel horizontally in the Navigate view.|
|6||An option to close the Reconstruction panel.|
|7||The header displays summary information for the event being reconstructed.|
|8||Lists each packet in the event. For each packet, you can see the packet number, the direction (Request or Response), and the packet contents in binary format on the left, hexadecimal format in the middle, and text format on the right.|
Packet Reconstruction Details
In the packet reconstruction, Investigate provides the packet number, the direction of the packet (Request or Response), the packet start time, and then the contents of the packet.
All packets begin with a header, and some packets have a footer. In the Packet View, the header and footer have a darker background so that you can distinguish them from the payload of the packet. The darker background for the header and footer appears in both the hexadecimal and text format.
The contents of the packet are provided in hexadecimal, and text format. The meta data is highlighted in blue; when you hover over the meta data, the meta key/meta value information is displayed as a screen tip.
Additional options in the Packet View include the ability to Download the PCAP for the event, and display payloads only. When Payload only is displayed, you can use the Shade Bytes option to help distinguish patterns in the data.
Text Reconstruction Details
In the Text reconstruction, network events and log events are presented differently. For network events, Investigate provides the direction of the packet (Request or Response) and contents of each packet in text format.
For log events, (filter on Medium = Log), there is no request or response; only the raw log is displayed in the Text reconstruction.
A subset of the reconstruction options is available in the Text View. You can:
- Hide and show the header.
- For Network events, select display of Requests only, Responses only, or both.
- For Network events, export the session as a PCAP file.
- For Log events, export the raw log.
- Switch between a compressed and decompressed view of payloads. When the session is decompressed, the compressed parts of the text become readable.
- Select text for decoding and encoding.
File Reconstruction Details
In the File reconstruction, Investigate presents a list of files associated with the selected network event.
You can select one file, one or more files, or all files to export to your local file system. When files are selected, the Export Files button becomes active and reflects the number of files selected. Clicking the button exports the selected files as a zip archive, which ensures that any potentially malicious files will not be opened by the default application and executed. The exported archive is named using the following convention:
<service-ID or host name>_SID<nnnnnnnn>_FC<n>.zip
- <service-ID or host name> is the name of the service (for example a Concentrator or Broker) where the session was saved
- SID<nnnnnnnn> is the session ID number
- FC<nnnnnnnn> is the file count or number of files in the archive.
To prevent an archive from being unzipped automatically when downloaded, NetWitness Suite exports the archive with password protection. To open an archive, enter the following password: netwitness.