How does RSA Netwitness Decoder handle SPDY or HTTP/2 traffic?
Will the decoder be able to parse the traffic into the meta keys accurately?
I have asked for this information from RSA support.
From what I have been told they are working on providing support for it in the packet decoding parsers but it isn't a huge priority due to the fact that almost all HTTP/2 traffic is opportunistically encrypted. Thus there is a limited amount of valuable metadata that could be generated outside of what the existing network parsers would generate (ip.src, ip.dst, port, etc).
I have yet to inject this data into my decoders and see what we get. I imagine Service = 0 and tcp.dstport = 443. I'd submit something to RSA support requesting it via RFE.
If you find something else out, let me know!
Retrieving data ...