.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
Some HTTP packets are not parsed correctly.The View Text view in Investigation shows the HTTP request as encrypted data as shown below.
Cause
Support for HTTP/2 Parsing was added in NetWitness 12.2:
Reference: https://community.netwitness.com/t5/netwitness-platform-online/what-s-new-in-12-2-0-0-release/ta-p/696706
Prior to that, the request would appear encrypted as in the above example.
Workaround
Upgrade to the latest NetWitness version and enable HTTP/2 Parsing as per this subsection from the above guide:
Visibility into HTTP/2 SessionsVisibility into HTTP/2 Sessions
You can search for metadata items derived from headers in the HTTP/2 stream to gain visibility into HTTP/2 sessions.
To turn on header parsing for HTTP/2 sessions:
- Go to ADMIN > Services and select a Decoder, and in the actions menu (
), select View > Explore. - Expland decoder > parsers and select config.
- In parsers.options, append HTTP2="headers=true".
- In the left panel, right-click parsers and click Properties. In the drop-down menu, select reload and then click Send.
Example parser.options after adding the HTTP2 option:
Entropy="log2=true" GeoIP2="ipaddr=ip.src,ip.dst,ipv6.src,ipv6.dst" HTTPS="ja3=true ja3s=true cert.sha1=false" HTTP="decompress=65" NETWORK="community.id.generate=False" HTTP2="headers=true"
Resolution
Ensure NetWitness is upgraded to the latest version (at least 12.2 for HTTP/2 support) and enable HTTP/2 support as per this guide:
https://community.netwitness.com/s/article/HTTPParsers
Product Details
NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: Network Decoder
NetWitness Version/Condition: 12.x
Platform: CentOS/AlmaLinux
Approval Reviewer Queue
Technical approval queue