Increasing retention using packet.compression?
I would like to explore if it is possible to increase our retention on our packet decoders.
Under the explore view on the packet decoder there is a setting:
"packet compression" which by default is set to none, but can be set to gzip.
The packet compression level is currently set to zero which is the best mix between compression and speed.
I looked at one of the packet decoder packet database files with the command:
And I can see that there is a lot of clear text data written in text which suggests that compression might not be being used.
Is there a document or any information on how to increase packet retention by tuning these settings?
I found the core database tuning guide, but is it just a case of try it and see?
- Community Thread
- Forum Thread
- logs and packet
- RSA NetWitness
- RSA NetWitness Platform
I am not aware of any official documentation of the feature, but I use the compression setting quite a lot. I haven't found a statistically significant difference between the settings 5 (average), 9 (max), and 0 ("best mix"), but given given the principles behind why you would turn on compression in the first place (namely, that you'll rarely be clicking through so many raw packets that decompressing them will allow down an investigation) I don't see a problem with just selecting 9. I'm actually collecting some stats on compression right now with a customer and if I can remember to come back here and Pat then I will.
Thanks for the update. Do you mean that any affects on performance were not noticeable or that the compression was not noticeable?
Can you confirm the setting you used for the "packet.compression" value. - eg did you set it to gzip?
Using a Hybrid appliance, any affects on performance are not noticable. I have not used compression with a standard decoder + DAC.
After truncating the payloads of SSL and SSH traffic (this environment does not do SSL inspection), I'm seeing about a 1.2 : 1 ratio when using a setting of 9 on compression. I'm going to continue testing as this is a very small sample size right now, but those results roughly match what I've seen in the past. THIS IS NOT SCIENTIFIC, and I'm not working with Product Management to achieve those results, so temper your expectations accordingly. This is not an official statement of performance impact or compression ratios, I'm only letting you know what I've observed.