Guy Bruneau

Parsing Shell Script for

Discussion created by Guy Bruneau on Aug 31, 2017

Rui Ataide posted a useful Python script to query a Broker or Concentrator metadata from the command line ( latest version 2016). In order to make it easier to use this Python script, I wrote a shell script to use as a simple interface that interact with it. 


Before you can run, you need to download from and copy it it on a Linux workstation (i.e. /usr/loca/bin) and make it executable (chmod 755


Next, edit the script and enter your default Broker or Concentrator you want to point the script to and change the IP address of the system and the account you want to use to query the metadata and save the changes.


Broker/Concentrator Configuation


The shell script has 5 options. The shell script ask 3 questions before it queries NetWitness’ metadata:


- What you want to query (i.e. ip.src= && service=80)

- Time range (i.e. time='2017-2-20 00:00:00'-'2017-2-21 00:00:00')

- Meta output you want in the output (ip.src,service --top=10)


Note: Output is save to a CSV file in a comma delimited format




The script also provides the ability to provide a list (one item per line) that it will parse in succession and save the output in CSV file with a file name supplied in the list.


The last 2 options (service 53 and 80) the meta output is already set in the script but you can modify that to whatever output format you want.