This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ESA in a packet only environment.

david_waugh
Beginner
Beginner

‎2019-03-22 08:30 AM

Hi we are moving to a Netwitness 11 Packet only environment with no logs.

Do we still need an ESA?

 

I remember an ESA can support 30K EPS, but how does the translate to collecting packet meta. For example, do I need 1 ESA per 10Gbps of packet collection?

 

What is a good packet decoder / ESA ratio?

0 Likes
1 REPLY 1

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2019-04-01 04:04 PM

David,

 

You can still use an ESA for a packet only environment. The lion share of ESA rules from RSA are for log environments so you may have to come up with your own rules to get maximum usage from the ESA. When it comes to events per second, since the system sees a single packet session like a single log event you may have to look at the sessions rate more than the MB/s rate. You should be able to find this in the Explore view for the Concentrator under concentrator -> stats -> session.rate. I would assume the ESA processing rate would be the same so you would have to see how many sessions per second you are getting on the concentrator to give you an idea how much it would be pushing to the ESA. Since the meta density on a log is much higher per session/event then it is on network traffic you may actually be able to process more MB/s than you would normally think.

 

As to the ratio I would check your rates and see what your environment averages and then go from there for your planning.

© 2022 RSA Security LLC or its affiliates. All rights reserved.