It should. Don’t see a reason why it wouldn’t. If you have access to Live, you can get any and all parsers and bring them into Investigator.
If you don’t have access from the Investigator system, you could download the parser and add it to the directory C:\ProgramData\Netwitness\ng\Parsers
Since the parser is likely encrypted, it will contain a .luax extension. You would also need the luaxtoken file as well. You can create a resource package.
This is mainly just a formatted zip file.
I placed the two bittorrent files into the C:\ProgramData\Netwitness\ng\parsers directory and then closed and restarted the Investigator client. I then reprocessed a pcap I had already had in the client.
As you can see the bittorrent.luax file is there, but the luaxtoken is not. It had been processed and removed. When I check the Investigator log, I can see the bittorrent_lua parser loaded by the client.
I did not have any bittorrent traffic to test against, but it would seem likely to parse since the parser is loaded.
I hope this is helpful…
Chris Ahearn
RSA | Principal Consultant | Incident Response
