RSA Admin

Detailed example: how to extract pcap for any query and extract meta values for any sessions using REST SDK API

Discussion created by RSA Admin Employee on Dec 13, 2012
Latest reply on Sep 28, 2014 by RSA Admin

During Forensic investigation using RSA/NetWitness system, one often need to save raw packet data and meta values from particular interested sessions into pcap or xml/JSON files before the captured data is rolled out from RSA/NetWitness databases.

 

Broker/concentrator example:

- Need extract raw packets into a pcap file from sessions with ip.src=10.194.238.251 and alias.host=time.vocalocity.com between 12/6/2012 8am - 9am.

- Need to save all meta values from these sessions into xml or JSON file.

 

Decoder example:

- Need to extract raw packets into a pcap file from sessions between 12/10/2012 8:00am - 8:01am

- Need to save all meta values from these sessions into xml or JSON file.

 

Attached pdf provides detailed steps and screen outputs on how above tasks are done on a broker/concentrator and a decoder.

Outcomes