Looking for some detailed answers on NwConsole:
- Error handling - using NwConsole in a script and need to implement error handling. What is the list of valid error/return codes that NwConsole can return and what do they mean? It appears that 0 is the default return value regardless of success or failure?
- Can NwConsole "track file names" like the SA UI so that we can query if a file has already been loaded?
- the NwConsole import command lists the following syntax "import [-noSource] [collection=<collection>] [-create] [node=<node>] filename.ext: I've been able to figure out that -noSource means the sourcefile meta key isn't populated, but what do "collection", "-create" and "node" do?
- We're using a single NwConsole command to ingest each pcap file: "NwConsole -c login <decoder ip>:50004 admin <password> -c import <file>" and getting a sporadic error when running the command but only sporadically with the following output:
>login <ip>:50005 admin <password> [normal]
Sever did not return our connection id. Possible cause: SSL may be enabled. [first error message]
>import <file> [normal]
You must login first before importing packets to a Decoder." [second error message, probably a result of the first]
Thanks all!
1) NwConsole is a console app, as such it doesn't really support exit codes on command execution (such as a scripting language might do).
2) Can NwConsole determine if a pcap has already been loaded? No. You would need to use an external scripting language like bash or python for that functionality and just have them make calls to NwConsole (or preferably the RESTful interface).
3) Those extra options are meant for our workbench product so you can safely ignore them.
4) If the server does not return the connection id, then a socket to the service could not be established. This is usually a firewall issue, the service is down or you are connecting to the wrong port (in your example above, port 50005 is typically a concentrator, not a decoder and that's why it didn't connect).
If you want to detect import errors, you should use the REST interface and check the HTTP status code at the end of the import. POST to http://decoder:50104/decoder/import?filename=<pcap filename>
Make sure to properly URL encode your parameter names and values. Percent-encoding - Wikipedia, the free encyclopedia
You can also optionally add a HTTP header called "X-pcap" with the name of the pcap file. Content-Type should either be "application/octet-stream" or "multipart/form-data", which is essentially what you get when you point a browser to the /decoder/import URL and use the provided form to upload a pcap.
If you don't want to track the pcap source, you can pass trackSource=false as a parameter.
HTH,
Scott