AnsweredAssumed Answered

How is netwitness meta key service populated?

Question asked by RSA Admin Employee on Apr 14, 2015
Latest reply on Apr 15, 2015 by RSA Admin



Is there a way to figure out Encrypted Communication?


Currently i am querying on "crypto exists" to pick encrypted traffic.

But i only see sessions on >service 443,22,25

However if i see mutiple >tcp.dstport values


Can you provide brief intro into how service is populated?

If there is a communication src:45673 -> dst:13022  (SSH Traffic)

Does this traffic records crypto as "aes256-cbc" and service is 22 ?

Currently i am assuming service is just populating alias for dstport for known services.

Please let me know if i am wrong.