Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Combine Events from Split Sessions

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Jan 30, 2020
Version 22Show Document
  • View in full screen mode

Note: The information in this section applies to the Version 11.3 and earlier Events view, which was renamed as Legacy Events view in 11.4.

Analysts can identify sessions that have been split due to session size and combine the fragmented sessions so that the complete session is viewable as a single query result in the Legacy Events view. When split sessions are recombined, a single packet export of the session in the Legacy Events view includes all of the session fragments.

Decoders are configured with a default session size of 32 MB. When a session exceeds the 32 MB limit, the Decoder splits the session and all subsequent packets become part of a new session, fragmenting the actual network session across multiple Decoder sessions. A result of split sessions can be difficulty viewing all of the session fragments as a single query result or creating a single packet export of all the session fragments.

The Decoder does several things to improve processing of fragmented sessions:

  • Contextual fragment parsing.
  • Session fragments highlighting.
  • Finding session fragments.
  • Exporting all packets to a single PCAP.

Contextual Fragment Parsing

The Decoder completes session parsing before splitting a large session based on the configured maximum session size (32 MB) or the configured timeout (60 seconds). When parsing is complete, the parsed results include the proper address directionality and application protocol, which are propagated to each subsequent session fragment to ensure consistency with the logical network session they represent. 

Note: Find Session Fragments requires that the tcp and udp source port meta keys (tcp.srcport and udp.srcport) be fully indexed, the default configuration.

Session Fragments Highlighting

Each session fragment has an additional meta item, session.split. The value of the session.split meta key for a particular session fragment indicates how many fragments precede that fragment. When viewing sessions in the Legacy Events view, the session.split meta key clearly identifies sessions that are fragments in the Events List view and the Events Detail view.

The session split happens when the configured Decoder assembler.size.max or assembler.timeout.session (latency between sessions) is reached. The earliest fragment is session 0 and sessions with a later time stamp are incrementally numbered 1, 2, 3, and so on. The session.split meta value indicates the number of preceding sessions fragments; however, it does not always indicate that there are subsequent session fragments, even with a value of 0. It is also possible for the first fragment of the session to not have asession.split meta value if the session is parsed before exceeding the maximum session size.

When you view the session fragments, you can determine the maximum session size or session timeout necessary for parsing to combine the split sessions into one again. For example, if you have four fragments at 32 MB, you need to configure your test Decoder (usually a virtual machine set up separate from main production service) with a maximum session size greater than 128 MB. The steps are the same to find all fragments based on a session timeout. The figures below show the Events List view and the Events Detail view with fragmented session information highlighted.

Note: A maximum session size of 12 MB was configured at the time the screen captures below were created.

the Events List View, with split session highlighting

another example of fragmented session highlighting

The session.split metadata is always displayed immediately following the address and port metadata in the details view. It is never hidden as additional metadata. These enhancements make it possible to quickly:

  • Identify sessions that are fragments of a network sessions.
  • View all of the session fragments of a network session given a single session fragment.
  • Export the packets for the entire network session as a single PCAP file.

Find and Combine Fragments

From within the Legacy Events view, you can find fragments of a session using the Refocus > Find Session Fragments context menu option. NetWitness Platform composes a query using the source and destination addresses and ports of the selected session and displays all sessions that match that query within the current time window. 

To find session fragments:

  1. In the Legacy Events view, right-click any of the source and destination address and port values: ip.src, ip.dst, ipv6.src, ipv6.dst, tcp.srcport, tcp.dstport, udp.srcport, and udp.dstport) as well as session.split values.
    The context menu is displayed.
    Meta context menu
  2. Select Refocus > Find Session Fragments or Refocus New Tab > Find Session Fragments.
    NetWitness Platform repopulates the Events list with session fragments for a single session within the current time range. Depending on the option you selected, the refocus replaces the current view or opens in a new tab. (All data is used in these examples but is not recommended on production systems).
     a refocused investigation
  3. If necessary, adjust the time range to include any session fragments that may precede or follow the current time window. You can tell that the time range needs to be expanded if the fragments occur near the time boundary, especially if the first visible fragment does not have a split value of 0 (or none). Alternately, inspecting the packets of the last visible session may lead you to believe that the session continues. Here is an example:
    1. If you are looking at fragments that are obviously not the first fragment, for example, 1, 2, 3, and 4 in time range 10:30 to 10:35, there should be a fragment 0. You can increase the time range to start earlier (for this example, 10:25) to find the additional fragment.
    2. If the session size of last fragment is close to maximum session size (12 MB in this example), look for additional fragments by increasing the time window to include a later time (for this example, 10:40).
      When all of the session fragments of a network session are included within a single Events list, the list can span multiple pages.
  4. (Optional) To export the packets for every session fragment to a single PCAP file, select Actions > Export All PCAP.
    A message informs you that the PCAP is being downloaded. When download is complete, PCAP file includes the entire network session that was fragmented.

You are here
Table of Contents > Reconstructing and Analyzing Events > Combine Events from Split Sessions in the Legacy Events View