How to start a scheduled/historical packet capture?
I am trying to test the amount of packets/bytes received by a packet decoder in a specific period of time. Can this be done by setting a schedule or can it be done by a historical query? I appreciate the help.
- 10g decoder
- Community Thread
- Forum Thread
- Packet Capture
- RSA NetWitness
- RSA NetWitness Platform
you can replay packets a number of ways depending on what you want to accomplish.
with the packet decoder service with capture stopped you can upload a PCAP to the decoder
You can install tcpreplay on the decoder service and use that to replay PCAPS locally to the decoder service to replay many packet captures on scripted method.
Depends what outcome you want and what you are trying to accomplish. TCPReplay needs to be dowloaded from an external repo (EPEL i think?) and installed with RPM -ivh tcpreplay*.rpm then you can use it from commandline like any normal CentOS server.
I would suggest running a report with the following query would give you the information you need:
Summarize: Session Size
Alias: Data Capture
Where: did='target decoder'
Pick the time range you want when running the report or using "Test Rule"
That should give you what you need.