2019-03-22 08:30 AM
Hi we are moving to a Netwitness 11 Packet only environment with no logs.
Do we still need an ESA?
I remember an ESA can support 30K EPS, but how does the translate to collecting packet meta. For example, do I need 1 ESA per 10Gbps of packet collection?
What is a good packet decoder / ESA ratio?
2019-04-01 04:04 PM
David,
You can still use an ESA for a packet only environment. The lion share of ESA rules from RSA are for log environments so you may have to come up with your own rules to get maximum usage from the ESA. When it comes to events per second, since the system sees a single packet session like a single log event you may have to look at the sessions rate more than the MB/s rate. You should be able to find this in the Explore view for the Concentrator under concentrator -> stats -> session.rate. I would assume the ESA processing rate would be the same so you would have to see how many sessions per second you are getting on the concentrator to give you an idea how much it would be pushing to the ESA. Since the meta density on a log is much higher per session/event then it is on network traffic you may actually be able to process more MB/s than you would normally think.
As to the ratio I would check your rates and see what your environment averages and then go from there for your planning.