Skip to content
  • There are no suggestions because the search field is empty.

How to find the RSA NetWitness database files on decoders and concentrators that contain a particular session

Issue

How to find the RSA NetWitness database files on brokers, concentrators, and decoders that contain a particular session.


Resolution

The instructions below outline how you can find the database files containing a particular RSA NetWitness Session in concentrator and decoder appliances.  In the examples below, assume that RSA NetWitness Investigator is connected to a broker which connects to concentrator(s) and decoder(s), and that a session with SessionID = 2171347267 is seen in the session content view.

( NOTE:  If the session you wish to locate is found while performing investigations on the concentrator directly, Task 1 below may be skipped. )

Task 1:  Find which concentrator stored the session and the concentrator's corresponding Session ID.

  1. Navigate to the Explore view of the broker against which the investigation took place in the RSA NetWitness UI. This can be done by navigating to Admin/Administration > Services > broker > View > Explore.
  2. Right-click on the sdk node and select Properties.
  3. In the lower pane, select deviceId from the drop-down menu.
  4. In the Parameters field, type session= , where is the Session ID that you wish to locate. In this example, session=2171347267 would be entered.
  5. Click on the Send button.
  6. Examine the Response Output window for output that appears similar to the following:
         [device: 10.25.53.21:50005
         session: 431421651 ]

The information provided from the steps above will provide the IP address of the concentrator (which is 10.25.53.21 in this example) and the corresponding Session ID on that appliance.

Task 2:  Find the session and meta database files for a particular session on the concentrator appliance.

  1. Navigate to the Explore view of the concentrator identified in Task 1 in the RSA NetWitness UI. This can be done by navigating to Admin/Administration > Services > concentrator > View > Explore.
  2. Right-click on the database node and select Properties.
  3. In the lower pane, select dump from the drop-down menu.
  4. In the Parameters field, type session= type=db where is the Session ID you wish to locate.  In this example, session=431421651 type=db would be entered.
  5. Click on the Send button.
  6. Examine the Response Output window for output that appears similar to the following: 
    [ SessionData=1
         dbFile=/var/netwitness/concentrator/sessiondb/session-000000161.nwsdb ]
         [ session.id=431421651 appType=0 created="12/31/1969 19:00:00" dataSize=19142
         payloadSize=16610 metaId1=12483613159 metaID2-12483613256 packetId1=0 packetId2=0
         packetCount=38flags=keep,assemble,appmeta,netmeta,parsed,2sided,side1client, ]
         [ MetaArray=98 dbFile=/var/netwitness/concentrator/metadb/meta-000000304.nwmdb ]
         .....
    The information displayed from the steps above will provide the following information:
  • The filename of the sessiondb file on the concentrator. In this example, the filename is /var/netwitness/concentrator/sessiondb/session-000000161.nwsdb.
  • The filename of the metadb file on the concentrator. In this example, the filename is /var/netwitness/concentrator/metadb/meta-000000304.nwmdb.

Task 3:  Find which decoder stored the session and the decoder's corresponding Session ID.

  1. Navigate to the Explore view of the concentrator against which the investigation took place in the RSA NetWitness UI. This can be done by navigating to Admin/Administration > Services > concentrator > View > Explore. 
  2. Right-click on the sdk node and select Properties.
  3. In the lower pane, select deviceId from the drop-down menu.
  4. In the Parameters field, type session=  where is the Session ID you wish to locate. In this example, session=431421651 would be entered, which is the same Session ID that was entered during Task 2.
  5. Click on the Send button.
  6. Examine the Response Output window for output that appears similar to the following:
         [device: 10.25.53.13:50004
         session: 107235453 ]

The information provided from the steps above will provide the IP address of the decoder (which is 10.25.53.13 in this example) and the corresponding Session ID on that appliance.

Task 4:  Look up the session and meta database files for a particular session on the decoder appliance.

  1. Navigate to the Explore view of the decoder identified in Task 3.  This can be done by navigating to Admin/Administration > Services > decoder > View > Explore.
  2. Right-click on the database node and select Properties.
  3. In the lower pane, select dump from the drop-down menu.
  4. In the Parameters field, type session= type=db where is the Session ID you wish to locate.  In this example, session=107235453 type=db would be entered.
  5. Click on the Send button.
  6. Examine the Response Output window for output that appears similar to the following: 
    [ SessionData=1 dbFile=/var/netwitness/decoder/sessiondb/session-000000055.nwsdb ]
         [ session.id=107235453 appType=0 creaed="8/02/2012 16:10:40" updated="8/02/2012 16:10:41"
         packetSize=19142 payloadSize=16610 metaId1-2992639921 metaId2=2992640016 packetId1=14950963933
         packetId2=14950977483 packetCount=38 flags=keep,assemble,appmeta,netmeeta,parsed,2sided,side1client, ]
         [ MetaArray=96 dbFile=/var/netwitness/decoder/metadb/meta-000000085.nwmdb ]
         .....
         [ PacketArray=38 dbFile=/var/netwitness/decoder0/packetdb/packet-000001963.nwpdb ]
         .....
     The information displayed from the steps above will provide the following information:
  • The filename of the sessiondb file on the decoder.  In this example, the filename is /var/netwitness/decoder/sessiondb/session-000000055.nwsdb.
  • The filename of the metadb file on the decoder.  In this example, the filename is /var/netwitness/decoder/metadb/meta-000000085.nwmdb.
  • The filename of the packetdb file on the decoder.  In this example, the filename is /var/netwitness/decoder0/packetdb/packet-000001963.nwpdb.

Notes

The table below displays the file extensions for each database file.

  • Column 1: Appliance
  • Column 2: Database
  • Column 3: Extension

  • Column 1: Decoder / Log Decoder
  • Column 2: packetdb
  • Column 3: .nwpdb

  • Column 1:
  • Column 2: metadb
  • Column 3: .nwmdb

  • Column 1:
  • Column 2: sessiondb
  • Column 3: .nwsdb

  • Column 1: Concentrator
  • Column 2: metadb
  • Column 3: .nwmdb

  • Column 1:
  • Column 2: sessiondb
  • Column 3: .nwsdb

NOTE:  For any given session, the decoder, concentrator, and broker maintain their own Session IDs, which may be different.

If this does not solve your issue, please open a case with RSA Technical Support and reference this article so that we may better assist you.


Internal Comments

UserName:hawkir
10/2/2012 2:47:27 PM - Finding the NextGen database files on Decoders & Concentrators containing a particular Session
Solution 634

UserName:shurtj
7/14/2014 3:47:34 PM - Updated Article
Modified statements to standardize formatting and to adhere to Primus best practices. Corrected grammatical and spelling errors. Updated the article to be relevant to RSA Security Analytics.

Meghana Arvind -- 7 Aug 2019
Changed:
  • Changed fonts of file names / node names / parameters / IP addresses to Courier New
  • Changed colors of errors to red
  • Added code blocks where necessary
  • Title - changed it 
    • from: "How to find the RSA NetWitness NextGen database files on decoders and concentrators that contain a particular session"
    • to: "How to find the RSA NetWitness database files on decoders and concentrators that contain a particular session"
  • Applies To - changed it:
    • from: 
      • RSA NetWitness NextGen
      • RSA NetWitness Decoder
      • RSA NetWitness Log Decoder
      • RSA NetWitness Concentrator
      • RSA NetWitness Broker
      • RSA NetWitness Administrator
      • RSA Security Analytics
    • to: 
      • RSA Product Set: Security Analytics, NetWitness Logs & Network
      • RSA Product/Service Type: NetWitness UI
      • RSA Version/Condition: 10.x, 11.x
      • Platform: CentOS
      • O/S Version: 6, 7
  • Resolution - changed it
    • from: "Navigate to the Explore view of the broker against which the investigation took place in RSA NetWitness Administrator.  This can be done by right-clicking on the appliance and selecting Explorer."
      • to: "Navigate to the Explore view of the broker against which the investigation took place in the RSA NetWitness UI. This can be done by navigating to Admin/Administration > Services > broker > View > Explore."
    • from: "Navigate to the Explore view of the concentrator identified in the previous section.  This can be done by right-clicking on the appliance and selecting Explorer."
      • to: "Navigate to the Explore view of the concentrator identified in Task 1 in the RSA NetWitness UI. This can be done by navigating to Admin/Administration > Services > concentrator > View > Explore."
    • from: "The information dsiplayed from the steps above will provide the following information:"
      • to: "The information displayed from the steps above will provide the following information:"
    • from: "Task 3:  Look up which decoder stored the session annd the decoder's corresponding Session ID."
      • to: "Task 3: Find which decoder stored the session and the decoder's corresponding Session ID."
    • from: "1. Navigate to the Explore view of the concentrator against which the investigation took place in RSA NetWitness Administrator.  This can be done by right-clicking on the appliance and selecting Explorer."
      • to: "1. Navigate to the Explore view of the concentrator against which the investigation took place in the RSA NetWitness UI. This can be done by navigating to Admin/Administration > Services > concentrator > View > Explore. "
  • Notes:
    • Removed "The steps above may also be performed in the RSA Security Analytics UI by navigating to the Explore view for the appropriate appliances, following the steps below.
      • In the Security Analytics UI, navigate to Administration -> Devices.
      • Select the appropriate device and click on View -> Explore."
    • Added "If this does not solve your issue, please open a case with RSA Technical Support and reference this article so that we may better assist you."

Product Details

RSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: NetWitness UI
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: 6, 7

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue