This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Filter on Packet Decoder

DenisShinkarenk
New Contributor
New Contributor

‎2019-12-26 04:15 AM

Hello all,

Could you help? We need to set filtering  on packet decoder. In Decoder Configuration on Adapter we set Berkeley Packet Filter. But we don't see the decrease of incoming traffic. Could you help - which filter script should we type for better effect? 

now it: not (port 25) or not (port 135) or not (port 42) or not (port 123)

Which port or protocol should we add in this script? 

BR.

0 Likes
5 REPLIES 5

Anonymous
Not applicable

‎2019-12-26 09:45 AM

I believe BPF filtering is available in 11.4 but not available prior to 11.4.

0 Likes

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor
In response to Anonymous

‎2019-12-30 02:39 PM

Support for BPF filtering for 10G capture using pfringz driver will be added in 11.4, I believe.  Any other capture not using pfringz driver is currently supported, afaik.

 

That said, what you might want to filter should be based on the type of traffic that is not interesting or useful for your incident response and security operations.  Filtering based solely on volume of traffic would be a fantastic way to blind yourself from suspicious and/or malicious activity.


Mr. Mongo
0 Likes

ShaneQuintard1
Beginner
Beginner

‎2019-12-31 11:12 AM

Hi Denis-

 

I might update your syntax a bit - make it a single not statement instead of the 'or not' that you have configured.

 

You currently have it as: not (port 25) or not (port 135) or not (port 42) or not (port 123)

 

I would rewrite this as a single not statement and include all ports: not ((port 25) or (port 135) or (port 42) or (port 123)). My thought is that you have created a not (not) statement, which in effect is doing the opposite of what you are after.

 

That all being said, I would echo Josh's recommendation - filter out that which is really not interesting or useful to avoid blind spots. Two of the protocols that you have listed (25 and 135) are much harder cases to make as far as filtering is concerned. 

0 Likes

Anonymous
Not applicable

‎2019-12-31 11:39 AM

Hi Denis,

 

If you are currently using your decoder 10G capture port with pfring driver, then BPF will not work.  You may want to try Network Rules as alternative filtering method.   Here is the link to that KB:   https://community.rsa.com/docs/DOC-47636 .  Hope this helps.

0 Likes

Anonymous
Not applicable

‎2020-01-07 10:48 AM

In regards to BPF implementation, it is available prior to 11.4 minus 10G configurations. In 11.4 the same BPF rules will be supported on the 10G (e.g. pfringz) interface.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.