.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
Why would you not see all packets that are captured within the time frame being searched but then see them after searching a few minutes earlier?View of the beginning time frame from 10:00 to 10:10 AM, notice 10:02 AM packets are not there:
View of additional packets from 10:00 AM to 10:10 AM in the time frame from 9:45 AM to 10:10 AM:
Resolution
The reason for this is that RSA NetWitness Platform tracks the time by sessions and not packets. The data is collected and the packets are there but the search will be based on the beginning of the session time. Therefore, if packets were within a session that started before the beginning time frame searched, the packets may not show in the investigation.The decoder uses the session key(consists of the ip.src, ip.dst, and port fields) to identify which packets are part of the same session. If you see the same consecutive port in an earlier created packet, the packet is part of an earlier session.
Product Details
RSA Product Set: RSA NetWitness PlatformRSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 11.x
Summary
Help to explain why in some instances you may find packets a few minutes earlier than in the beginning time range being searched.
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue