Skip to content
  • There are no suggestions because the search field is empty.

System Packet Parsers

System Parsers System Parsers

This topic lists the native parsers available in RSA Security Analytics.

ContextContext

Packet parsers identify the application layer protocol of sessions seen by the Decoder, and extract meta data from the packet payloads of the session.

Every packet parser is able to extract meta from every session. For example, a webmail session will be parsed by both an HTTP parser which identifies the session as HTTP and extracts meta from HTTP headers, and by a MAIL parser which extracts email-related meta from message headers. Further, if the session were to contain an executable file, its presence would be detected by a windows executable parser.

Packet parsers in RSA NetWitness may be broadly classified as:

  • System or Native parsers: These are compiled into the Decoder base code. Updates are delivered along with updates to RSA NetWitness. Many system parsers have Lua equivalents. In these cases, generally, the native parser may perform faster, while the Lua parser may extract more meta.
  • Lua parsers: these are written in the Lua programming language, and delivered via Live. Customers can write their own custom Lua parsers.
  • Flex parsers: these were written in a proprietary scripting language, Flex, and delivered via Live. These are now discontinued, and no longer delivered in Live. Every existing Flex parser has a better Lua equivalent, and all customers using NetWitness should not be using Flex parsers.

System Parsers in RSA NetWitness PlatformSystem Parsers in RSA NetWitness Platform

The following table describes the system parsers delivered with RSA NetWitness Platform.


  • Name: ALERTS
  • Description: Alerts

  • Name: DHCP
  • Description: Dynamic Host Configuration Protocol

  • Name: DNS
  • Description: Domain Name Service

  • Name: enVision
  • Description: Log Decoder Service

  • Name: FTP
  • Description: File Transfer Protocol

  • Name: GeoIP
  • Description: Geographic data based on ip.src

  • Name: GTalk
  • Description: Google Talk

  • Name: H323
  • Description: H.323 Teleconferencing Protocol

  • Name: HTTP
  • Description: Hyper Text Transport Protocol

  • Name: HTTPS
  • Description: Secure Socket Layer Protocol

  • Name: IRC
  • Description: Internet Relay Chat Protocol

  • Name: MAIL
  • Description: Standard E-Mail Format (RFC822)

  • Name: NETBIOS
  • Description: NETBIOS computer name and parser

  • Name: NETWORK
  • Description: Network Layer parser

  • Name: NFS
  • Description: Network File System

  • Name: NNTP
  • Description: Network News Transport Protocol

  • Name: PGP
  • Description: PGP blocks within network traffic parser

  • Name: POP3
  • Description: Post Office Protocol

  • Name: RIP
  • Description: Routing Information Protocol

  • Name: RTP
  • Description: Real Time Protocol for audio/video

  • Name: SCCP
  • Description: Cisco Skinny Client Control Protocol

  • Name: SEARCH
  • Description: Searches content for keywords and/or regular expressions

  • Name: SIP
  • Description: Session Initiation Protocol

  • Name: SMB
  • Description: Server Message Block

  • Name: SMIME
  • Description: SMIME blocks within network traffic

  • Name: SMTP
  • Description: Simple Mail Transport Protocol

  • Name: SNMP
  • Description: Simple Network Management Protocol

  • Name: SSH
  • Description: Secure Shell

  • Name: TDS
  • Description: MSSQL and Sybase Database Protocol

  • Name: TELNET
  • Description: TELNET Protocol

  • Name: TFTP
  • Description: Trivial File Transfer Protocol

  • Name: TNS
  • Description: Oracle Database Protocol

  • Name: VCARD
  • Description: Extracts Full Name and E-mail information

  • Column 1:
  • Column 2: