NetWitness REST interface syntax documentation/examples
Trying to get the REST interface into our NetWitness working. Have read the doc, but can't seem to find the right doc to read. Some example of full URLs to get data could be very helpfull as there is little debug info (by design) when you get it wrong, and I am getting it wrong.
Found the Python script and slides- handy but not getting joy. Do love a good python script.
It's time for an example. I want to get all the meta data for a time range between two ips Via the GUI, it looks like this:
- Src.ip = 184.108.40.206
- Dst.ip = 220.127.116.11
- startTime = 2014-09-17 13:47
- endTime = 2014-09-18 13:46
In REST I am trying to use: http://172.16.90.195:50105/sdk?msg=query&%22Select=*%20WHERE=%20time=%20%272014-09-17%2013:47%20-%20...
Of course I do not get any return beyond a 200.
I not this is a neub question, but I am a neub and believe I have done my research. Perhaps some examples of "correct" requests would point me in the right direction-
Use the help command to find out the parameters accepted by each command:
query: Performs a query against the meta database
id1 - <uint64, optional> The starting meta id (to run the query from most recent to oldest meta, make id1 larger than id2)
id2 - <uint64, optional> The ending meta id
size - <uint32, optional> The max number of entries to return, or just stream back all results if zero
query - <string, optional> The query string to use
flags - <string, optional> The flags to use for query. Can be a number (bitwise mask) or comma separated values like query-log.
threshold - <uint64, optional> Query optimization to stop processing results after the threshold is reached (useful with select aggregate functions). Zero means no threshold (the default).
In your URL, you were using a Select parameter, which isn't a supported parameter. Case matters too, so match the case of the parameters.
Using the python tool, you should format the parameters in the command like this:
size=1000 query="select * where time='2014-09-17 13:47:00'-'2014-09-18 13:46:00' && ip.src=18.104.22.168 && ip.dst=22.214.171.124"
This will generate a proper URL for you to see and then submit it. Use the Get Message Help button in the python tool to see command help.