Reconstruct events from nwpdb file with preserved time
is there any chance to reconstruct events from nwpdb file?
It was possible to convert nwpdb to logs by NwConsole and to replay them by NwLogPlayer, but events time changed to current date. Is there any way to replay logs with preserved time?
Thank you in advance.
I'd have to double-check, but I believe the event times changed as the result of the replay through NwLogPlayer. Basically, the time is that at which the logs were parsed.
Packets are a bit different. We often take PCAP's and play them through a packet decoder...forget what the timestamps in the PCAP actually were....yell and scream that things didn't import correctly, only to change our Time parameter to look at ALL data, which is when we find the actual pcap that kept the original timestamps.
So, I don't think it's an issue on the export, but rather on the import.
If you did want to preserve timestamps, you would want to do the import command in NwConsole. If you were to use tcpreplay to replay them, the timestamps would change.
Again...thats how I have seen it, but have never tried exporting an entire nwpdb file to attempt.
can you open the file in the thick client (investigator client) and view it there? I don't think that alters the timestamps from memory.