This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Custom Feed using IPv6

Go to solution
Anonymous
Not applicable

‎2013-04-03 12:05 PM

Has anyone had any experience creating a custom feed based around IPv6 addresses?

 

Specifically, I want to do something very similar to what is in the examples that show how to create department listings using IP ranges, I just want to set up a similar feed using our IPv6 ranges. A couple of the methods that I have used have failed, and I am not sure if it is in how I am structuring the XML file, or if it is a format issue in the CSV file in how I am listing the IPv6 ranges.

 

Any ideas?

 

Thanks

0 Likes
14 REPLIES 14

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2013-04-04 03:37 PM

Is it possible to create meta on ALL ipv6dept in the above example?  The above example produces .src and .dst meta but I just want to see ipv6dept meta for any sessions that have a source or destination in my CSV.  Does that make sense?

 

I have created a new Key and want to see meta generated along the lines:

 

ip6dept

Dept1 (#sessions), Dept2 (#sessions),

 

and on the Brokers and Concentrators update the index-XXX.xml to include:

 

<key description="IPv6 Department" name="ipv6dept" format="Text" level="IndexValues" />

 

Also, is there a document somewhere that details all the options for the LanguageKeys?  There is not much detail in the NWAdministrator guide on this topic.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2013-04-04 05:27 PM

Just remove the dstname and srcname attributes from the language key.

 

The feed documentation is great compared to Lua parsers. There are a couple of restriction though that are undocumented. One thing that cost me a couple of hours: Never have overlapping IP ranges in one feed. They are very common in practice, but not supported by Netwitness.

0 Likes

Go to solution
Anonymous
Not applicable

‎2013-04-15 07:51 AM

Not that anyone else is still trying to do this, but I just wanted to post a follow up. This is actually still not working. If I use the above and specify individual IPv6 addresses, it will show up in my feed. But increasing the low,high to any kind of range (even just 2 or 3 addresses) breaks it.

 

Working with support, but at this point I don't have any warm fuzzies that what I am trying to do is possible.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2013-04-15 08:37 AM

I can confirm that the feed does not work for ranges. I would be very much interested in the response of the support team.

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2013-04-17 09:35 AM

I just received the following response from support:

 

I learned from Dev currently range lookups are only supported with IPV4. Support for IPV6 is being added to IP Feeds in version 10.2 which is due out in a few weeks.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.