This section introduces commonly used configuration settings on a Decoder with procedures and background information. After you have completed Decoder and Log Decoder Quick Setup, you can refine your configuration by using parsers, feeds, and rules to limit the captured data.
Note: A Log Decoder is a special type of Decoder, which is configured and managed in a similar way to a Decoder. Most of the information in this guide refers to both types of Decoders. "Decoder" refers to both types of Decoders. Information that applies exclusively to Network Decoders or Log Decoders is clearly identified.
The following workflow illustrates commonly used settings and breaks the configuration process into four steps.
|Configure Capture Settings|| |
When initially setting up the Decoder, configuring the network adapter interface is required. Additional optional capture settings are available; one that is frequently used is Capture Autostart.
|Enable and Disable Parsers and Log Parsers||View the parsers that have been downloaded and deployed from Live, and manage which ones are enabled or disabled.|
|Start and Stop Data Capture||When a Decoder starts up, it automatically begins aggregating data if Capture Autostart is enabled. When autostart is not enabled, you can start and stop data capture manually.|
|Configure Decoder Rules|| |
Capture rules can add alerts or contextual information to sessions or logs. They can also define which data a Decoder or Log Decoder filters out.
By default, no capture rules are defined when you first configure NetWitness Platform. Unless rules are specified and the rules are valid, the packets are not filtered. You can deploy the latest rules from Live as described in the Live Services Management Guide. You can define capture rules at any time, and you can fix rules that use invalid syntax (Fix Rules with Invalid Syntax).