Is there a way to search for a specific packet size in Netwitness?
Example Packet Decoder Application Rule
Rule Name :: Low Packet Count
Rule Syntax :: packets count l-2
Note :: the above syntax is a lower case el "L" NOT number one.
I recommend viewing all the metadata created from a typical session you are targeting. You may find you can leverage the following;
For Example ::
Rule Name :: EXE_Under_10K
Rule Syntax :: size = l-10000 && filetype = 'windows executable','x86 pe','x64 pe'
NetWitness is session based not packet based. You can create application rules based on session size or packet count but not packet size
Thanks for the information. Ok so what is the syntax for packet count is is just packet.count=... or is there some other syntax?
With the latest versions of NetWitness, you can write a Lua parser that can scan the session's packets for a specific size, then create whatever meta you want. Lua parsers have a great deal more capability than our now deprecated Flex parser system. As a matter of fact, you can do some pretty sophisticated analysis with Lua parsers, including packet timing analysis.
You can also search for payload size. What threat are you interested in? Might be more than one way to skin a cat.
I am trying to find a session size of 666 bytes or a packet count of 9. Any thoughts?
You can create a apple rule on decoder:
size=666 && packets=9 then alert on alert.
Retrieving data ...