Hello, folks! How are you?
How can I get the ip.src value in a parser?
If you look in /etc/netwitness/ng/envision/table-map.xml you will find all the mappings for parsers. IP.src is mapped to saddr in the parser.
I don't have this file. My device is a packet decoder. Well, I'd like to compare two values with a if condition at the parser.
For example: If ip.src != my.another.parser then ...
Did you understand?
I am not familiar with packet parsers. But it looks like this could be done via an app rule.
I'm not sure. Because the app or network rule compare two metadata value and not metadata key.
For example, I need to inform the value that I want to compare.
If you have a value of ip.src you want compare,
You can create a custom lua parser to operate on meta-call back matching.
This is about how to create lua parser.
A Treatise on Writing Packet Parsers for the RSA NetWitness Platform
Retrieving data ...