.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
The meaning of the Meta key Meduim in NetWitness Platform
Resolution
- Sessions in NetWitness can be created by various means, such as packets ingested by a Packet Decoder, logs ingested by a Log Decoder, sessions created due to correlation rule matches, etc.
- The medium meta key of a session indicates the session type. (i.e. packets, logs, correlation, etc.) For example, if a session is created by a Packet Decoder after ingesting an Ethernet packet, the medium meta key value is set to 1. If a session is created by a Log Decoder after ingesting a log, the medium meta key value is set to 32. If a session is created by the correlation engine because a session matched a correlation rule then the medium meta key value is set to 33.
- The interpretation of each integer for the meta key can be found in the /etc/netwitness/ng/index-concentrator.xml file on concentrator appliances. They are also provided in the table below.
Notes
The table below shows the relation between the medium meta key integers and the session types.- Integer:
1
- Session Type:
Ethernet
- Integer:
2
- Session Type:
Tokenring
- Integer:
3
- Session Type:
FDDI
- Integer:
4
- Session Type:
HDLC
- Integer:
5
- Session Type:
NetWitness
- Integer:
6
- Session Type:
802.11
- Integer:
7
- Session Type:
802.11 Radio
- Integer:
8
- Session Type:
802.11 AVS
- Integer:
9
- Session Type:
802.11 PPI
- Integer:
10
- Session Type:
802.11 PRISM
- Integer:
11
- Session Type:
802.11 Management
- Integer:
12
- Session Type:
802.11 Control
- Integer:
13
- Session Type:
DLT Raw
- Integer:
32
- Session Type:
Logs
- Integer:
33
- Session Type:
Correlation
Product Details
NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: NetWitness UI, Reporting Engine, Concentrator
NetWitness Version/Condition: 11.x, 12.x
Platform: CentOS 7 / Alma
Approval Reviewer Queue
Technical approval queue