This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Current Information on Investigator Freeware

Go to solution
RSAAdmin
Beginner
Beginner

‎2012-10-01 04:58 PM

I downloaded the installer package and installed it. The version is stated to be 9.7.5.9.

 

The documentation in the Welcome page still points to the old community that I believe is replaced by this community?

 

There was a link to get a sample pcap file and that link takes me to the freeware URL: http://www.netwitness.com/products-services/investigator-freeware

 

and there is no pcap file there that I can see.

 

Am I missing something?

 

Jim

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
JonathanSaxon
Employee
Employee
In response to RSAAdmin

‎2013-01-11 11:57 PM

With Investigator you can capture your own network traffic.  Of course, the stream you capture may not be terribly "interesting" depending on what you are looking for but it can still be informative if you don't have other data to analyze. 

 

If nothing else, you might be surprised at all the hosts your web sessions are communicating with when you click on one of the major portals. 

 

To capture traffic you must have WinPCAP installed.  Then on the View menu, select "Capture Bar" from the menu turns on the capture tool visible at the bottom of the Investigator screen. 

 

Then, select your network adapter to capture from and then click on the start capture tool.  If you float your mouse pointer over the icons on the capture bar the function of each icon is displayed.  Stop the capture by clicking on the same icon again.  Capture statistics are displayed on the "Capture Bar." 

 

The "Capture Bar" is displayed below. 

CaptureBar.png

View solution in original post

0 Likes
7 REPLIES 7

Go to solution
Anonymous
Not applicable

‎2012-10-01 05:36 PM

Thanks for bringing this to our attention. We're looking into it. 

 

You are correct about the community - the old community has been replaced by this one.

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2012-10-01 05:51 PM

Thanks for the quick follow-up.

 

I was at the NetWitness User Conference and heard that the next Freeware version would not be released until 2013 but I wanted to see if/how the current version was still usable.

 

Out-of-date documentation and links from the product's welcome page create a bad impression.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner

‎2012-10-05 10:42 AM

Since RSA has no pcap sample to ingest, I wonder if the community can suggest places to download useful ones to experiment with. A bit of googling reveals that there are lots of sites out there that have pcap files to download but I am looking for suggestions for some that are not too large (so that the Investigator freeware tool can import them) and which have some interesting traffic to investigate.

 

Thanks.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2012-10-08 09:48 AM

Here's one to test out. They got a bit of everything.

 

http://packetlife.net/captures/

 

- Ray

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2012-10-08 10:37 AM

I would also recommend creating your own pcap files using tcpdump. This will allow you to test rules on traffic you know exists. A basic tcpdump command that will capture all traffic on eth0 in a pcap file called oct0812.pcap is the following:

 

# tcpdump -w oct0812.pcap -i eth0

Go to solution
RSAAdmin
Beginner
Beginner

‎2012-10-14 08:12 PM

it depends on what you are looking for in terms of malware etc., to study.  I'd recommend crafting your own pcaps using wireshark or tcpdump or visiting sites such as honeynet.org for attack samples.

Go to solution
JonathanSaxon
Employee
Employee
In response to RSAAdmin

‎2013-01-11 11:57 PM

With Investigator you can capture your own network traffic.  Of course, the stream you capture may not be terribly "interesting" depending on what you are looking for but it can still be informative if you don't have other data to analyze. 

 

If nothing else, you might be surprised at all the hosts your web sessions are communicating with when you click on one of the major portals. 

 

To capture traffic you must have WinPCAP installed.  Then on the View menu, select "Capture Bar" from the menu turns on the capture tool visible at the bottom of the Investigator screen. 

 

Then, select your network adapter to capture from and then click on the start capture tool.  If you float your mouse pointer over the icons on the capture bar the function of each icon is displayed.  Stop the capture by clicking on the same icon again.  Capture statistics are displayed on the "Capture Bar." 

 

The "Capture Bar" is displayed below. 

CaptureBar.png

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.