To provide a more open database format, the Network Decoder can write standard pcap-formatted files. You can enable pcapng-formatted database files with the configuration node:
/database/config/packet.file.type = 'pcapng' or 'netwitness'
Note: This capability is enabled by default if you install 11.2 or later. If you upgrade from a previous version to 11.2, you must enable pcapng-formatted database files manually, which can result in an approximate 4% decrease in disk space (as the pcapng files require more space than the NetWitness nwdb files).
To enable writing standard pcap-formatted files:
- Go to (Admin) > Services, select a Network Decoder service, and then select > View > Explore.
- Go to database > config.
- In packet.file.type, the default is pcapng.
- To change the packet file type to NetWitness formatting, type netwitness and press Enter. This change will take effect immediately on the next packet file that is created.
Note: In the pcapng database file format, the data is in clear text, and is not obfuscated by our proprietary format, which can improve security.
Caution: Please do not touch any files in the packet database directories! You must not read or edit any pcapng file in the packet database directories, as they are always in use while Decoder is running. Decoder always expects full and exclusive access to those files, and other processes reading those files prevent normal Decoder operation. The proper way to access the pcapng files is to set up a cold storage directory. This allows Decoder to copy pcapng files to the cold storage directory before deletion. At that point, you are responsible for managing the pcapng files, including making sure that the cold storage volume never fills up. Keep in mind that copying the pcapng files to cold storage requires a non-trivial amount of I/O and could interfere with packet capture. Cold storage for pcapng is not supported at 10G speeds.