How to export a PCAP for non-indexed sessions in RSA Security Analytics

Tasks

This article demonstrates how to retrieve session IDs for non-indexed sessions and export a PCAP for those IDs in RSA Security Analytics.

To perform this procedure, follow the steps below.

1. Access REST interface for the concentrator using the following URL:  http:// :50105
2. Click on  the asterisk (*) next to sdk.
3. Run a query and select a non-indexed meta key (i.e. tcp.srcport) with a where clause on time. This will return meta ID ranges for that meta.
    
        Example:
        Select "query" in Properties for /sdk.
        Parameters : query="select tcp.srcport where=time='2014-Jan-01 00:00:00'-'2014-Aug-01 00:00:00'"
    
        Output:    
   id1=13 id2=13 count=0 format=4 value=56530 type=tcp.srcport flags=0 group=1
   id1=63 id2=63 count=0 format=4 value=56530 type=tcp.srcport flags=0 group=2
   id1=113 id2=113 count=0 format=4 value=56530 type=tcp.srcport flags=0 group=3
4. Use the meta ID range id1 and id2 of the above result and run an SDK-Values query with the fieldName=sessionid parameter, which will return the session ID value of that meta.
    
        Example:
        Select "values" in Properties for /sdk.
        Parameters : id1=113 id2=113 fieldName=sessionid size=1000
    
        Output:    
   id1=3 id2=3 count=1 format=8 value=3 type=sessionid flags=0 group=0
        In the output above, value=3 sessionid value that can be used in an sdk packets call.

5. Export the PCAP using the sessionid retrieved in step 4 by navigating to the following URL:  http:// :50105/sdk/packets

Product Details

RSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI, Concentrator
RSA Version/Condition: 10.3.x, 10.4.x
Platform: CentOS

Approval Reviewer Queue

ASOC Approval Group