System Parsers

This topic lists the native parsers available in RSA Security Analytics.


Packet parsers identify the application layer protocol of sessions seen by the Decoder, and extract meta data from the packet payloads of the session.

Every packet parser is able to extract meta from every session. For example, a webmail session will be parsed by both an HTTP parser which identifies the session as HTTP and extracts meta from HTTP headers, and by a MAIL parser which extracts email-related meta from message headers. Further, if the session were to contain an executable file, its presence would be detected by a windows executable parser.

Packet parsers in RSA NetWitness may be broadly classified as:

  • System or Native parsers: These are compiled into the Decoder base code. Updates are delivered along with updates to RSA NetWitness. Many system parsers have Lua equivalents. In these cases, generally, the native parser may perform faster, while the Lua parser may extract more meta.
  • Lua parsers: these are written in the Lua programming language, and delivered via Live. Customers can write their own custom Lua parsers.
  • Flex parsers: these were written in a proprietary scripting language, Flex, and delivered via Live. These are now discontinued, and no longer delivered in Live. Every existing Flex parser has a better Lua equivalent, and all customers using NetWitness should not be using Flex parsers.

System Parsers in RSA NetWitness Platform

The following table describes the system parsers delivered with RSA NetWitness Platform.


For content that has been discontinued, see Discontinued Content.

Name Description
DHCP Dynamic Host Configuration Protocol
DNS Domain Name Service
enVision Log Decoder Service
FTP File Transfer Protocol
GeoIP Geographic data based on ip.src
GTalk Google Talk
H323 H.323 Teleconferencing Protocol
HTTP Hyper Text Transport Protocol
HTTPS Secure Socket Layer Protocol
IRC Internet Relay Chat Protocol
MAIL Standard E-Mail Format (RFC822)
NETBIOS NETBIOS computer name and parser
NETWORK Network Layer parser
NFS Network File System
NNTP Network News Transport Protocol
PGP PGP blocks within network traffic parser
POP3 Post Office Protocol
RIP Routing Information Protocol
RTP Real Time Protocol for audio/video
SCCP Cisco Skinny Client Control Protocol
SEARCH Searches content for keywords and/or regular expressions
SIP Session Initiation Protocol
SMB Server Message Block
SMIME SMIME blocks within network traffic
SMTP Simple Mail Transport Protocol
SNMP Simple Network Management Protocol
SSH Secure Shell
TDS MSSQL and Sybase Database Protocol
TFTP Trivial File Transfer Protocol
TNS Oracle Database Protocol
VCARD Extracts Full Name and E-mail information