.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Information Needed for Packet Parsing Issues in RSA NetWitness Platform
Tasks
Please provide the following information when reporting packet parsing issues in RSA NetWitness Platform:- The version of RSA NetWitness you are running:
- Verify that you are running the latest version of the parser(s) in question:
- Navigate to the "parsers" directory through an SSH session of the Packet Decoder(s) in question:
# cd /etc/netwitness/ng/parsers
# ll - Navigate to RSA Live to find the parser(s) in question, using Steps 1-2 in either of the links below:
- In either case, once you have found a parser, double click the parser search result. It will display a date and time in the "updated" field, which is when the latest version of the parser was released to RSA Live.
- Check that the date of the parser file in question in /etc/netwitness/ng/parsers is equal to or after the date on which the parser was last updated in RSA Live.
- If the date of a parser file in question is prior to the date of when the parser was last updated in RSA Live, you will need to deploy the latest version of the parser in question: How to update a parser using RSA Live in RSA NetWitness
- Note: Perform a parser reload for every Packet Decoder on which a parser was deployed for the changes to take effect. The parser reload instructions can be found here: How to reload parsers on a Decoder or Log Decoder via the RSA Security Analytics UI
- Navigate to the "parsers" directory through an SSH session of the Packet Decoder(s) in question:
- A list of all parsers that are enabled on the Packet Decoder(s) in question:
- Navigate to the "Parsers Configuration": in the UI as shown above and make a list of every parser that has a "Config Value" of "Enabled".
- Screenshots from the "Event Reconstruction" view of the logs in question displaying the issue
- An export of the pcaps in question - for more information on how to export events, review the following: Investigate: Export Events in the Events View
- The pcaps can be uploaded directly into the case, the RSA SFTP site, or you can request a temporary FTP link from Support.
Notes
If this does not solve your issue, please open a case with RSA Technical Support and reference this article so that we may better assist you.Product Details
RSA Product Set: NetWitness PlatformRSA Product/Service Type: NetWitness UI, Packet Decoder, RSA Live
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: 6, 7
Summary
Please provide the following information when reporting packet parsing issues in RSA NetWitness Platform.
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue