How to Perceived duplicated Traffic
The Team here surged with a question regarding the possibility to check on Netwitness wether ir not there is duplicated Traffic. It is more like, using Netwitness to point Network maps being observed more than once on different load balancers.
Have anyone come to a similar situation? Could you point possible steps to detect this issue on an assertive manter?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
To the best of my knowledge there is no de-duplication within Netwitness. If you have two decoders and each one of them captures 100 sessions that are the same, Investigation will show you 200 sessions of duplicated meta. It won't know that the 100 sessions from decoder 1 and 100 session from decoder 2 are actually the same 100 sessions. This is why it is important to not have duplicate information entering the decoders. If you feel that there is duplicate data that will be coming in on your decoders you may be able to use application rules on the decoder to filter the data out so that only one decoder is actually capturing the data. To do this you will need to have some consistent characteristic(s) of the data to filter on. Otherwise your only option is to work with your network team to not capture the duplicated data.
I hope this helps.