AnsweredAssumed Answered

How is netwitness meta key service populated?

Question asked by RSA Admin Employee on Apr 14, 2015
Latest reply on Apr 15, 2015 by RSA Admin

Hi,

 

Is there a way to figure out Encrypted Communication?

 

Currently i am querying on "crypto exists" to pick encrypted traffic.

But i only see sessions on >service 443,22,25

However if i see mutiple >tcp.dstport values

 

Can you provide brief intro into how service is populated?

If there is a communication src:45673 -> dst:13022  (SSH Traffic)

Does this traffic records crypto as "aes256-cbc" and service is 22 ?


Currently i am assuming service is just populating alias for dstport for known services.

Please let me know if i am wrong.


Thanks,

Uma

Outcomes