Dear all,
When investigating events, I would like to access the entire content of a file downloaded by a user (e.g., a PDF file). This works well when users download the data through a single TCP session (e.g., using wget) or when the files are small. However, for large files (e.g., 8MB), browsers like Firefox have embedded PDF viewers that download large files in smaller chunks using multiple TCP connections. In the RSA Netwitness concentrator they appear as multiple sessions (see below) and I cannot find a way to reconstruct the entire file. However, if I manually download and concatenate all the pieces, I am able to reconstruct the entire file. Is there a way for Netwitness (version 10.3) to do this automatically? I imagine this feature must exist because download managers and browsers usually use multiple TCP connections to download large content.
Thank you!
